Security

Authentication

1DB uses API keys for machine-to-machine lead submission. Keep them on the server, rotate them deliberately, and scope every public form through a server endpoint you control.

Store keys server-side

Put `ONEDB_API_KEY` in your server environment. Do not bundle it into the browser.

Proxy public submissions

Use a route handler, serverless function, or server action to add the API key before forwarding data to 1DB.

Rotate keys per surface

Generate separate keys for different websites or environments so you can revoke compromised access without broad fallout.

Recommended Server Flow

app/api/submit/route.ts

export async function POST(request: Request) {
  const payload = await request.json();

  const response = await fetch("https://your-deployment.convex.site/v1/leads", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "X-API-Key": process.env.ONEDB_API_KEY!,
    },
    body: JSON.stringify({
      formSlug: "contact-form",
      ...payload,
    }),
  });

  return new Response(await response.text(), {
    status: response.status,
    headers: { "Content-Type": "application/json" },
  });
}

Do not trust browser-only protection

Obfuscating keys in client code or limiting them with front-end conditions does not make them private. If the browser can read the key, a third party can too.

Next.js Guide

Use App Router route handlers and Server Actions safely.

HTML Forms Guide

See a simple proxy pattern for static and no-framework websites.