With JAMstack sites, using API keys/tokens on API calls is pretty much a regular occurrence. In most cases, we just hard code our keys when invoking those API calls which means these keys are public. Anyone can open their browser dev tools and view them. This can lead to someone abusing it.
In some cases, this is fine. For instance, Firebase keys are intended to be public. This is not the case for AWS access tokens. You’d definitely not want that to be public or bad things can happen. There are plenty of horror stories of leaked authentication keys, like this one about Dropbox Paper.
There are several things you can do to keep these keys secure. Never commit any sensitive keys/tokens to your git repository. Using Functions is another great way to keep those keys secure. Here’s a project that I call ‘token hider’ that does just that and could be a great starting point for anyone wanting to do the same.