API grant from machine

Looking for advice on allowing a rest api post for a lead gen form from a separate domain.

Let's say I have client.com and I need to post a form through an api route to services.client.com. Since I can't do csrf that way what would be the best way to authenticate the request if there are no users to login with? I get the idea of an implicit grant but then the key is still stored in the client side. Is it really normal to make a proxy request to the backend of client.com which makes another call to services.client.com just to hide the key. Seems really bad to make two calls just to submit a form if you have no users. Is there a way to just say allow any requests from client.com or client2.com. I'm aware that CORS is an option, but it's not reliable for authentication.

Am I missing something? please help.