Deploying Blazor WASM application and using environmental variables instead of appsettings.json

Good morning,

I am building a blazor web assembly portfolio website using Contentful CMS for my images. However, the nature of Contentful.csharp package (as contentful.aspnetcore is not supported with blazor) requires three keys that I place in my appsettings.json located in www/root of my project. These keys take the following form:

"ContentfulOptions": {
    "DeliveryApiKey": "A",
    "ManagementApiKey": "not used",
    "PreviewApiKey": "B",
    "SpaceId": "C"

I then access these keys directly by injecting IConfiguration into my service. It looks like this:

private ContentfulClient GetContentfulClient()
            var apiKey = _configuration.GetSection("ContentfulOptions").GetSection("DeliveryApiKey").Value;
            var previewKey = _configuration.GetSection("ContentfulOptions").GetSection("PreviewApiKey").Value;
            var spaceid = _configuration.GetSection("ContentfulOptions").GetSection("SpaceId").Value;
            var httpClient = new HttpClient();
            var client = new ContentfulClient(httpClient, apiKey, previewKey, spaceid);
            return client;

Because this is a web assembly application, if I were to upload the appsettings.json and deploy my application, these keys would be available to anyone who decompiled the dlls - which is obviously bad practice. I came across environmental variables and am seeking some guidance on whether what I’m doing is actually possible.
I posted about this on stackoverflow if anyone is interested:

I want to store the Delivery, Management and Preview keys as environmental variables and hopefully access them. The only problem is, if I do not upload the appsettings.json, my GetContentfulClient() method does not know where to find them, and while I can successfully deploy my application using the yml file (I’ll paste below), GetContentfulClient() cannot find the keys.

I have the following environmental variables:
And the following in my github secrets for the repository:

This is my yaml file that I am using to deploy my web assembly application.

on: [push] # Action on which the workflow runs. Can be push, pull_request, page_build, or many others

    runs-on: ubuntu-latest
    - uses: actions/checkout@master # Checkout the master branch
    - name: Setup .NET Core
      uses: actions/setup-dotnet@v1 # Setup .NET Core
        dotnet-version: 6.0.101
    - name: Build with dotnet
      run: dotnet build --configuration Release 
    - name: Publish personal portfolio website to netlify
      #create Blazor WebAssembly dist output folder in the project directory
      run: dotnet publish -c Release --no-build -o publishoutput # Don't build again, just publish
    - name: Publish personal portfolio blazor webassembly to Netlify
      uses: netlify/actions/cli@master #uses Netlify Cli actions
      env: # These are the environment variables added in GitHub Secrets for this repo
          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
          args: deploy --dir=publishoutput/wwwroot --prod #push this folder to Netlify
          secrets: '["My auth token", "My site id"]'

It successfully builds and deploys it, but my GetContentfulService cannot find the keys to perform its operations. Any advice on how to proceed? Do my Contentful api keys need to be stored as github secrets? I suspect it may be something to do with my yaml file but I am unsure of how to go about it.

Thanks in advance! (and sorry about the post length…)

Coming back to provide an answer after thinking through the problem. I decided to create a web api to this project, and write services to consume that which does the dirty work querying ContentfulCDA. All I have to do is deserialize it into whatever I liked. This seems to be the best way forward, as the api keys would be visible on the client side through appsettings.json.

Furthermore, apparently appsettings.json in blazor wasm projects cannot access environmental variables as they are not exposed to the browser, so my idea of using EVs does not work - So the web api is the best way forward, and Azure Key Vault would be the next step in securing those keys.