I'm using Google's Perspective API and have an API key. I've restricted this to the specific domain I'm going to be using, but I would like to know if it's safe to release the key in my code? As this would be in the client's browser I don't want to make a backend just for that, but I will if necessary.
Essentially: Is it safe to share a domain restricted API key?
I do not think it is safe. Google does not recommend it. You can check the official article for the best practices.
"Do not embed API keys directly in code: API keys that are embedded in code can be accidentally exposed to the public, for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree."
