Hi, I’m using netlify lambda and env variables to hide my API key, Now what I have is a Netlify API endpoint which can be called without a secret key. But how is this secure?? Since the endpoint is open and now that it doesn’t need any Secret keys too, anyone can just call the new netlify API endpoint and make the request happen. Am i missing something here?
The endpoint is not secure; the token is not exposed. You’ll have to put login in your function to “secure” things up to whatever standards you have. If security == “linked from your website” you can check the URL for the referrer, or you can do whatever external auth you like (probably "collect auth info from visitor in a POST to your function, which confirms the details, and then runs the rest of your function only if authorized)