Securing Your Tokengated Google Form: How Gandalf Eliminates Bot Attacks and Spam


We just launched this feature on Launchcaster, please upvote if you like it!

Tokengating is very neat way to share exclusive content with a select audience. It’s probably even cooler for collecting information about a specific community. Whether you’re just doing a survey or distributing t-shirts, you want to ensure that only qualified people can submit their information.

Prior to Gandalf, there was no real way to prevent a tokengated Google Form (or Typeform) from being spammed or attacked by bots. In this article, we’ll take a deep dive into how Gandalf works with Google Forms and Typeform to ensure a secure, spam-free environment.

How it works

When you connect your Google or Typeform account to Gandalf, we’re able to add a [hidden] field that serves as an authorisation key & can monitor submissions in real time.

Gandalf Form Security Explanation

Happy Path ✅

  1. A user navigates to the form via the Gandalf URL.
  2. Gandalf authenticates the user’s wallet to determine if they possess the required token or NFT.
  3. If validated, an authorization key (generated server-side) is passed into the [hidden] field in the form.
  4. On submission, the Gandalf server checks this response to see if the key is indeed valid. If so, nothing is done.

Malicious Actor Path

  1. In attempts to be sneaky, a malicious actor tries to fill the form without going through the Gandalf URL.
  2. As such, no authorisation key is generated by Gandalf on their behalf.
  3. Such an actor has to submit a form with no authorisation key or with an invalid key – only Gandalf is capable of generating a valid key.
  4. On submission, the Gandalf server checks this response to see if the submitted key is indeed valid.
    • Submissions with no authorisation keys are deleted .
    • Submissions with invalid authorisation keys are deleted.
    • Submissions with duplicate authorisation keys are also deleted, ensuring one response per valid user.

Pro Tip 💡 – If your Google Form responses are linked to a Google Sheet, Gandalf will also extend this secure gating to the spreadsheet. All invalid submissions will be deleted from the sheet too!

And that’s how the ✨magic✨ is made!

In the future, we’ll be improving our forms integration in the following ways:

  • Wallet Only Validation: Validate users based on wallet ownership, no NFT/restriction criteria needed. 🪙
  • Social Connect: Optionally require users to link their Twitter or Discord accounts before form submission. 🐦🎮

At Gandalf, our mission is to evolve into the most comprehensive platform for tokengating, and this is just the beginning of our magical journey. We’re eager to hear from everyone—whether it’s feedback, new feature suggestions, or reports on bugs you’ve found!

Related Posts