So if you have control over the form, then you probably want to change it to:
<form action="/cgi-bin/delete.pl" method="post" accept-charset="UTF-8"
<label for="id"> Your token</label>
<input id="id" name="token" type="text" class="form-control">
<input name="key" value="gfgf" type="hidden">
<input name="usr" value="rob" type="hidden">
<button name="submit" type="submit" class="btn btn-primary">Delete<
I think that's what perlfan suggested, but I am wanting to show in the above code that you'd definitely want to use the clean (no query string) URL to "post" to, plus the hidden fields shown above, because it's possible that your script, when it decodes the incoming parameters, won't do it correctly if there are query string ("get") parameters at the same time there are "post" parameters, even if the parameter names don't conflict. You might as well eliminate that risk, as shown.
Also, do NOT use the "readonly" attribute. The user wouldn't be able to modify the contents of that field, meaning that the user will see a blank id field when it's displayed and won't be able to enter anything into it (what your form is calling a "token"). I've never seen the "readonly" attribute used in an HTML form, in 25 years of coding. Interesting.