I am using Kloudless to enable efficient file uploading on the client side.
However, my app currently exposes both my Kloudless API key and account id -- they will be public on the client side.
In addition to setting the trusted domains, is there any way to protect my keys right now while still enabling efficient file uploading?
You are absolutely correct that the Kloudless API Key should be kept confidential and not included on the client-side. Instead, I would use the user's Account Key instead. Account Keys function the same way as API Keys, but only provide access to the connected account.
Here is some information on using Account Keys with the File Explorer:
Account Keys can be returned from the File Explorer by setting the "account_key" option to true. They are only returned to Trusted Domains (added via the Developer Portal). Once you have them on the client-side, you can make requests using them. In addition, they can be retrieved via the backend as well.
Account Keys also come in useful when you would like to show returning users accounts they have already connected previously. By storing Account Keys for the user, you can render them on the client-side and pass them in via the "keys" option while instantiating the File Explorer, which will display the corresponding accounts to the user automatically.
