@joshua After digging deeper in the code it looks like this is actually a shared configuration file between the frontend and backend (which was a little confusing). But it doesn't look like the client actually uses the secrets or apiKey which is what I didn't think was safe. So I think I am good for now. Thank you for following up with me.
I'm understanding the Node JS side more ... I may be able to replicate this behavior in Spring Boot. If so I'll share my findings and maybe you guys can add this to your examples for future users.