The API key must be kept secret, right?


So I shouldn’t put it into a js file that gets delivered to a browser. Which means the openrouteservice should be used server side only?
Sorry for asking such silly things, but wasn’t able to find anything about that topic in the docs, nor on github, stackoverflow, or Google.



If you don’t want to expose it to the user, that is correct, yes.


Thanks for your quick answer Timothy!
Maybe you should think about implementing an API auth mechanism like google is using with their maps api.
Their api-keys can be exposed on websites.


Yep, we have been thinking about that, also. Basically we want to enable every user to create a whitelist of domains which are allowed for each token.