Skip to main content

Overview

Never expose your API key in the frontend or client-side code.
To protect your organization’s data, it’s essential to handle API keys properly and understand environment limitations.

Why You Should Never Use API Keys in Frontend Code

Exposing your API key in frontend or client-side code (e.g., in a browser or mobile app) can lead to unauthorized access. API keys grant full access to your data, and if they are exposed publicly, they can be extracted and misused by malicious users. Additionally, direct API calls from a frontend will fail due to CORS restrictions — the Partoo API is designed to be accessed only from secure, server-side environments.

How to Use API Keys Securely

1

Store keys securely

Use environment variables or a secret manager to avoid hardcoding your API key:
API_KEY=your_api_key_here
2

Never expose keys in client code

Do not include your API key in any public frontend source (JavaScript, mobile apps, etc.).
3

Proxy frontend requests

For frontend use cases, route requests through your own backend. The backend appends the API key securely and forwards the request to the Partoo API.Please refer to our How to Display Partoo Data guide for a detailed example.