Your backend proxies to the gated API services on the client's behalf. This also allows you to avoid CORS problems. API keys stay nice and secure in key vaults or env variables and your backend can do client validation and authentication before firing off the requests.

A web app shouldn't run on the client's machine, it should run on your machine and only serve a bunch of beautiful text to the client

Generally, associate the keys to a tenant or user. If your system is user-centric and not B2B SAS, use oauth instead of keys. Finally, I always tell my devs to do auth LAST. Most frameworks have OOTB support for auth. By the time you implement it you'll be more familiar with your framework, so it will be easier. Additionally, introducing auth to your project too early will significantly slow your development time due to the extra overhead around having to constantly sign in to do smoke testing.

I used to wonder why malware is so prevalent…then I read these replies. 🤦‍♂️

you talking about security. Best practice is to boot a back-end and use it as a bridge, at least for third-party APIs. If we are talking about an API you do own, you should learn about auth workflows, e.g OAuth. Also there are other mechanisms such like the one Segment uses, public write-only keys exposed and they secure further through CORS and whitelisting :)