Oh, that's cool, thanks for the docs link. I like the way the API hijacks the form submit and replaces the card with the token. I'm still a but curious as to what a nefarious user could do with your "publishable API key," but this is much better than I had initially thought.

> I'm still a but curious as to what a nefarious user could do with your "publishable API key,"

I suspect very little if they don't also have your 'secret' API key. I guess they could request a single-use token for a card, but I don't think they could then do anything with it.