Help securing Fauna database for use with Netlify

I’m using Netlify to host an Angular SPA that consumes a Laravel API with Postgresql as the database.
I’m really interested in going serverless and moving to FaunaDB though (so cutting out the Laravel API) and I’ve been doing some initial research into how to set that up.

1st question: I’m finding myself getting confused on is: how do I secure the “secret” that gives full access to FaunaDB?
I’ve seen snippets like this a lot in various tutorials:
const client = new faunadb.Client({
secret: process.env.FAUNADB_SECRET

I understand this works by consuming the environment variable in Netlify that’s administered in the Netlify UI. But is it as simple as that? Is it secrure for the FaunaDB secret to be a envvar? Can no one else consume that envvar and gain full access to my database?

2nd question: If I use serverless functions in Netlify to query the database, I understand I can access those endpoints via the Angular front-end app. Does that mean I could also offer those endpoints to others as an API so they could integrate with my app? If so though, how would I manage authentication? Presumably the lambda functions would have to also make requests to my Auth0 account (I’m using Auth0 for authentication) to first check the token first before querying the database?

If the above snippet is going to be in any client-side JavaScript, it’s not secure. No matter how much it’s hidden, someone desperate enough can find it. However, if it’s used in a Function, it’s safe.

About the second question, yes, you can offer the endpoint to others. However, I’m not sure what authentication we’re talking about here.

Great thanks for clarifying!
So Netlify environment variables are hidden? There’s no way someone can consume a Netlify environment variable from the front end?

Yes, as long as you take caution not to include them in any client-side script, they’re hidden.

Hi, @adamj. I think the following support guide might have the information to answer these questions:

If there are questions after reading that, please let us know.