Always put API keys in request headers
Always put API keys in request headers. Then they're not visible in browser history, logs, etc:
fetch("https://api.carta.com/data", {
  headers: {
    Authorization: `Bearer ${apiKey}`,
    "Content-Type": "appl...

Tiger's Place

Always put API keys in request headers to avoid exposure in browser history or logs. For frontend code, never put sensitive keys in headers or URLs; use a proxy backend for production-ready projects. Use different keys for different environments and store them securely using environment variables. Rotate keys periodically to maintain security.

API keys best practices notes

Permalink Always put API keys in request headers

Permalink Keep different keys for different environments