Notes on client-side AI key safety, short-lived tokens, and proxies.https://perishable.skelfresearch.com/en-ushttps://perishable.skelfresearch.com/blog/proxy-vs-serverless-function/https://perishable.skelfresearch.com/blog/proxy-vs-serverless-function/A serverless function can hide your API key. It will also cost you streaming, latency, observability, and your sanity. Here is the trade space, drawn honestly.Thu, 28 May 2026 00:00:00 GMTarchitectureserverlessstreaminghttps://perishable.skelfresearch.com/blog/short-lived-tokens-oauth-style/https://perishable.skelfresearch.com/blog/short-lived-tokens-oauth-style/OAuth solved this problem for the web a decade ago. Here is what the same idea looks like wrapped around an AI provider's API.Wed, 20 May 2026 00:00:00 GMTjwtsessionsdesignhttps://perishable.skelfresearch.com/blog/client-side-ai-key-screenshots/https://perishable.skelfresearch.com/blog/client-side-ai-key-screenshots/A walkthrough of how API keys baked into mobile and browser bundles get extracted in minutes, and what to do other than pray.Tue, 12 May 2026 00:00:00 GMTclient-sidethreat-modelmobile