Hey Bubble Forum!
Quick question on using API keys in plugin HTML headers — I see it’s noted in the example but how secure is this practice?
When making client-side calls with an API key from an uploaded script to Bubble’s CDN, is there any risk of exposure?
Would love to hear about any best practices around this.
Not secure unfort. Best practices are to create your own proxy in between.
only public keys are available client side, so by definition it’s ok to use them in the plugin html because you are not supposed to put sensible data in the public key anyway.
For requests with private data you should use a server action, or the api connector, but both will not be available in the html header of the plugin. It will require your end user to setup a workflow in the editor.