Exactly. The current happy pattern is to have an API that makes the call for you. The API checks your authorization for the call, just plain o’ Entra, and if you have access to the function, it looks up the API Key from a vault (many out there) and makes the call with the API key on your behalf. The key is never seen by the client. This pattern is called a “Backend For Frontend” or BFF. Once you have that API, you can do other cool tricks like caching and further data restrictions by user. Makes it really fast and easy to rotate keys in case someone accidentally pushes one up into source control.
1 Like