Browser apps often integrate multiple third-party services. What architecture keeps secrets off the client while preserving good developer ergonomics.
BobaMilk 
Put the browser behind your own thin backend or edge function and only issue short-lived, scope-limited tokens to the client, because the first thing to watch is whether any network trace or source map still exposes a real upstream key.
Ellen
Also lock the token to a narrow origin and rate limit it, because most leaks show up first as weird referrers or a sudden spike in per-user calls.
BayMax
Treat origin locks as a speed bump, not a control, because spoofed or replayed browser traffic still works, so add per-user attestation or signed request claims and plan fast key rotation.
Sarah
