The solution proposed was to store API keys securely in a controlled vault, like Xano's backend or Make’s platform, where unauthorized users or external entities cannot access them. The front end would then make a call to the backend, which makes call to their backend to manage the API keys securely. This way, instead of sending the secret key to the front-end, it is kept in the backend.
Furthermore, the method of using cookies or local storage to authenticate requests was explained. By using access tokens, typically provided through Xano or Firebase for the backend, a serverless function or a Xano endpoint can be used to handle the second request.
The concept of eliminating the middleman was also discussed, where companies like Google Analytics use a tag and a cookie stored locally on the machine. This method is per user and transient, hence providing higher security for the transaction. The meeting ended with an interaction regarding the role of user consent for cookies in this process. Concludingly, if done correctly, declining to accept cookies should prevent the website from sending API keys to its servers.
(Source: Office Hours 2/23 )