Storing API keys in Pinia (bad idea, or very bad idea?)

[maggie44]

I have a backend that connects to a server using an API key and through the API key has access to, let's say 10 functions.

I want to move all that functionality from the backend of the frontend, but the frontend is only supposed to let the user use 2 functions. This means, that if the user was able to get the API key out of the browser they could access 8 functions I didn't want them to have access to.

The question then, is one of security, and risks involved in using Pinia like this. I know the short answer is to keep the API key in the backend and only expose the two functions I want users to be able to access, or make changes on the API end, but for the sake of keeping a long story short let's assume they are not good options.

I could do then with some thinkers to help me work through the severity of the implications, my instincts tell me no, but the benefits I can gain from doing it make me think I should consider it. I realise an X factor here is the risks involved in the other 8 functions being exposed, but will leave that vague too just for the sake of simplicity.