Security best practices
- Store keys in server-side environment variables or a secrets manager
- Rotate keys if you suspect compromise
- Never embed keys in browser or mobile apps
Example
Browser / CORS guidance
Pixelcut APIs are designed to be called from a secure environment (your servers). Direct browser calls will typically fail due to CORS and would expose your secret key.Recommended architecture
- Browser / client uploads to your backend
- Your backend calls Pixelcut API using
X-API-Key - Your backend returns a signed URL or stored asset to the client
Why this matters
- Prevents key leakage (the most common integration mistake)
- Lets you enforce your own auth, quotas, and abuse protection