How Can I Safeguard API Keys on the Frontend?

You're spot on that anything sent to the client can be accessed. You might consider obfuscating it, but remember: obfuscation isn’t security. The best practice is to handle sensitive data server-side.

To keep your API keys safe, you'd want to call your APIs from a backend endpoint. This way, your frontend interacts with your backend, which then makes the actual API call, keeping your keys secure and hidden from the browser. Just exposing the keys on the frontend isn’t secure, so using a backend proxy helps immensely.

Chances are your leads are asking you to ensure the API key isn’t exposed to users by making API calls from the server. If they’re referring to hiding endpoints, it’s a matter of routing those requests through your backend, essentially making it a middleman for any sensitive communications.

Yes, anything visible in the frontend is public. Make sure your requests go through a backend proxy to limit exposure. Anything directly accessed by the client is at risk, so always handle sensitive data on the server.

It's crucial to ensure that users authenticate, receiving a temporary access token that allows them to call the API while keeping the actual keys hidden. If any keys are being passed to the frontend, even indirectly, they can be exposed.