Gista.js

A capability URL is a link that acts as a key. If you know the URL, you have access. No login, no password — the link itself is the permission.

You've seen this before

Google Docs — "anyone with the link can view" sharing
Doodle polls — create a poll, get a unique link to share and a different link to manage it

Your form builder uses the same pattern. When you create a form, the server generates a secret token and builds a results URL with it: /forms/5/results/a3x9k2.... Anyone with that URL can see submissions. Anyone without it can't.

The limits

Capability URLs are simple and effective, but they have real limits:

Can't revoke access without changing the URL itself
Can't know who accessed it — just that someone with the link did
Sharing is all-or-nothing — if you share the link, the other person has the same access you do

These limits are fine for a form builder. But when you need to know who someone is — not just whether they have a link — that's when you need login and user accounts.