I learned that you never make third party API requests from the client. You always create your own route on your server that asks the third party API. Because you can't see the code from your server in the client you also can't see an API key.
To access my server I have a login token which is validated and because it's generated when you login it's different for every client. Now every user can have their own API Key which is saved in the database or so.
I think it is very hard to save API Tokens in the client because everybody can read it. The best way here is maybe to encrypt the key but the problem here is that everybody can read how you encrypt it.