yes as Jos Fabre said ... if you are mentioning about client ids or using a client sdk no need to worry about securing that. In such case the limitations will be like the domain its being executed from or maybe a particular user. Ex. Google allows request domain restriction on maps api. Check it here If you are using an api key in the client side. Don't do that . Write a wrapper and start hitting that endpoint.