Client code is not a secret store
Environment variables bundled into frontend apps are still visible to users. A malicious user can extract the key and spend against the provider account.
API key safety
Do not put an OpenAI API key in browser code
Browser and mobile apps are inspectable. Provider keys and secret project keys need to stay behind a server-side boundary.
Publishable credentials need server-side enforcement
Switchboard publishable keys identify a project, while end-user sessions and hosted billing gates decide whether a chat request should run.
Keep the OpenAI-compatible shape
Trusted servers can still use familiar OpenAI-compatible requests. Client apps use the hosted backend flow so provider secrets stay private.
Next step
Open the developer docs for the quickstart, credential boundaries, billing statuses, and API routes. Use the Integration Kit in your dashboard for project-specific prompts and snippets.