Back in my day, we called these hidden form elements.

<form action="/cgi-bin/delete.pl" method="POST" accept-charset="UTF-8"
+>
  <div class="form-group">
    <label for="id">&nbsp;Your token</label> 
    <input id="id" name="token" type="text" class="form-control" reado
+nly >
  </div>
  <div class="form-group">
   <input type="hidden" name="key" value="gfgf">
   <input type="hidden" name="usr" value="rob">
   <button name="submit" type="submit" class="btn btn-primary">Delete<
+/button>
  </div>
</form>
[download]

Fortunately, we've learned a few things since then, like:

• Send values via method=POST so you don't broadcast your values in the action URL even when using SSL/TLS
• .cgi is a pain to maintain (use Dancer2 or Mojo)
• this pattern of HTML form + cgi processor is inferior to using a modern JavaScript async call to send the data to a RESTful API endpoint (like /cgi-bin/rob/gfgf with method=DELETE, encoded as application/json

To answer your question about what is happening? The browser is resetting the query part of your action (when method=GET, adding only the named form elements to the call to action and stupidly dropping what's in there. I am sure I had actions with query params in them once upon a time, and I don't recall the query string being fully replaced. But in any case, that's what's happening. I bet if you set method=POST and kept that action it would retain your query params. But use the <input type="hidden"..., that's what it's for.