> It’s fine for internal tools exposed to trusted users,
No, not really?
> or you can implement a “bring your own API key” pattern where users supply their own key to use with your client-side app.
This is a valid use-case, even if it breeds unsafe patterns (just allow random site/code on the internet impersonate you and spend money on your behalf).
But it's not really worse than how 3rd party integrations generally do that anyway.
They could do a system where you can create one API key with a budget for a site, and that's it, that would be enough, but until they have that budget system, it's not really a good approach
No, not really?
> or you can implement a “bring your own API key” pattern where users supply their own key to use with your client-side app.
This is a valid use-case, even if it breeds unsafe patterns (just allow random site/code on the internet impersonate you and spend money on your behalf).
But it's not really worse than how 3rd party integrations generally do that anyway.