I am building web application and for push notification and messaging I am using leanplum . Leanplum provides with api keys like that
key='absc......'
app_id ='prod_abc.....'
Is it save to expose these two keys on client side javascript files which will be load on client browsers? What will be the possible impact of exposing these keys ?
Leanplum has Production Key and Development Key.
With Production Key, you can send API requests like Track. Assuming that attacker knows the User ID, attacker can send garbage to the server, but that's it.
With Development Key, you can connect to the socket and update In-app message template and other config stuff.
So always use the Production Key on production!