@nicolasalevera98 You are right on in that you do not want to send your API key down to the client. If you do that, they will have access to your system. In order to make a call to the APIs you will have to have to secure it on your server and then have the client call the server which has access to the API Key. Now if you enabled the something like the authorization code grant where the user logs in, then they would be able to use their username and password to access the APIs directly.