3๐
โ
I think that in this use case (a contact form) an API KEY is not the way to secure your api / contact form.
In a contact form, What do you need to secure?
-
Submit of robots => Solution: Captcha (ex: Google Captcha)
-
Submit repeatedly by evil people => Solution: Implement in your API a validation feature to prevent this verifying the agent and ip source.
-
Submit by http request directly (whitout use your web form) => Solution: Implement domain constraints in your API (Allow only submits from your web domain)
-
Man in the middle like evil proxy (theft and data manipulation) => Solution Implement HTTPS in your API
If your API needs an APIKEY, and this API is requested by a browser, your APIKEY will always be visible by dev tools.
Source:stackexchange.com