In various places, including the Twitch API challenge, folks say not to expose API keys for security reasons. What are those security reasons? Take Twitch as an example. Anyone can sign up as a developer and get an API key, so what’s so bad about having those keys exposed? Does keeping it unexposed allow for better tracking of who’s using which APIs for whatever purposes?
On the front-end, such as the Twitch API, I am not aware of any way to use an API key but not expose it.
The worst thing that should be possible when exposing an API key to the client is they use it and hit an API limit. If they can do anything worse than that, then you shouldn’t be exposing the key to the client.
On the back-end it’s much easier to hide API keys, such as a Client ID or a Secret by using a process.env variable to store the value of the key on the server, and then just reference that variable whenever you need to use the key. Like how the FCC KB suggests using a process.env variable for the MONGOLAB_URL when setting up MongoDB for deployment to Heroku.
Looking back at my Twitch Project, just followed the steps in this FCC KB on building the Twitch Project without an API key: