I added a media button in WordPress editor, just like the code
add_action('media_buttons', 'add_my_media_button');
function add_my_media_button() {
echo '
<input id="up_to_chevereto" type="file" accept="image/*" multiple="multiple"/>
<label for="up_to_chevereto" id="up_img_label"><i class="fa fa-picture-o" aria-hidden="true"></i> upload images to Chevereto</label>
';
?>
<style type="text/css">...</style>
<script type="text/javascript">
$('#up_to_chevereto').change(function() {
...
});
</script>
<?php
}
I left my api key in the javascript area, I wonder if this is safe or not.
It is always insecure to leave API keys within javascript code. If it is unnecessary, then see on Chevereto for your API key settings to restrict usage per domain. If such option is not possible, then you should avoid rendering your API key in javascript.