Long-form writing about how secrets escape into client binaries, what short-lived tokens look like in practice, and why a proxy beats a serverless function for this job.
A serverless function can hide your API key. It will also cost you streaming, latency, observability, and your sanity. Here is the trade space, drawn honestly.
OAuth solved this problem for the web a decade ago. Here is what the same idea looks like wrapped around an AI provider's API.
A walkthrough of how API keys baked into mobile and browser bundles get extracted in minutes, and what to do other than pray.