Security for API keys
I 'm confused on the proper security procedures forAPI keys . All the examples for Supabase (Such as this auth example : https://toddle.dev/projects/erik_auth/branches/main/components/LoginPage ) have you passing the API key as part of the header . But in another thread ( https://toddle.dev/forum/Where-to-save-the-Stripe-secret-key ) I saw someone recommend against using Toddle to call Stripe because , since it 's on the client , someone could steal your key . Why is one situation secure and the other isn 't ? Supabase 's secret key cannot be used client -side as that key can do anything Same goes for Stripe 's key for server -side calls The anon key is restricted in scope . Assuming you have auth headers and RLS in place , users won 't be able to make changes they shouldn 't be making (e .g . , delete other user data ) . If you don 't have these things in place then users can still make those changes . Supabase for example makes this clear when you try to use the service key The main thing to note is the scope of the key What can the key do ? That will tell you if it 's safe to use client -side 👍1