Is it safe to leave private information such as API keys in javascript in WordPress?

I added a media button in WordPress editor, just like the code

add_action('media_buttons', 'add_my_media_button');
function add_my_media_button() {
    echo '
            <input id="up_to_chevereto" type="file" accept="image/*" multiple="multiple"/>
            <label for="up_to_chevereto" id="up_img_label"><i class="fa fa-picture-o" aria-hidden="true"></i> upload images to Chevereto</label>
          ';
?>
<style type="text/css">...</style>
<script type="text/javascript">
$('#up_to_chevereto').change(function() {
...
});
</script>
<?php
}

I left my api key in the javascript area, I wonder if this is safe or not.

Answer

It is always insecure to leave API keys within javascript code. If it is unnecessary, then see on Chevereto for your API key settings to restrict usage per domain. If such option is not possible, then you should avoid rendering your API key in javascript.

Source: stackoverflow
The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .