I don't think it's a good idea to store the API keys on client side. Even if you obfuscate the keys, at some point you will make the API call and send actual keys. Attackers can easily retrieve the keys using something like Firebug.

In my opinion the best way to do this is creating a wrapper in the backend. You can make an AJAX request to your backend which then calls the actual API using your secret keys.

I learned that you never make third party API requests from the client. You always create your own route on your server that asks the third party API. Because you can't see the code from your server in the client you also can't see an API key.

To access my server I have a login token which is validated and because it's generated when you login it's different for every client. Now every user can have their own API Key which is saved in the database or so.

I think it is very hard to save API Tokens in the client because everybody can read it. The best way here is maybe to encrypt the key but the problem here is that everybody can read how you encrypt it.

There's no secure way of keeping API keys safe in JavaScript in the browser.

Best solution I've found is to build something similar to a proxy, you make the call to the service, but instead of sending it directly to the remote API, you send it to your own API which then adds the sensitive bits (like API key) to the message and then simply passes it through to the remote API and passes back the response.

This way you can also work around cross-domain issues.

yes as Jos Fabre said ... if you are mentioning about client ids or using a client sdk no need to worry about securing that. In such case the limitations will be like the domain its being executed from or maybe a particular user. Ex. Google allows request domain restriction on maps api. Check it here If you are using an api key in the client side. Don't do that . Write a wrapper and start hitting that endpoint.