Secrets and Client Side API Calls

What I’m trying to do:
Do API calls from the client side that require API keys. These are keys that are not user-specific, rather the same keys are used for every user.

What I’ve tried and what’s not working:
Made API calls from server functions and storing the keys in the secrets service. It works, just not what I’m after.

I have seen some posts here with people making API calls from the client side, but I don’t understand how people are managing their API keys on the client side. I understand that when keys/tokens are user specific, it is ok to call a server function to work with them in the client side code. Server code can work with the anvil secrets service.

But I don’t know how to handle general app secrets on the client side, considering client code is untrusted. I probably shouldn’t return an app secret to client code, or am I missing something?

Do I just stick to using server functions in this scenario?

You’re not missing anything, returning a general secret to client code exposes that secret to a sufficiently motivated hacker. It depends on the consequences of exposing it whether you care or not. In general, you wouldn’t want to do that, because you want to have control over calls to the API (for rate limiting, usage limits, terms of service compliance, etc).

Some APIs have a way to get a temporary token you can pass to the client.

Personally, based on what you’ve described, I’d keep using server calls to make the API calls.