I am working on a side project that uses Agora (a webRTC service). For every user to connect to each other, they would need my app ID (API key). For now, I am sending it to authenticated users, however, I feel like there is a better and more secure way for this. I was wondering whether that's really the case or not.
Do not send your API key to the client. Any client with that key is able to make requests to the service as you, and anything that they get up to with that key is on you, and could impact your ability to use the service.
If your service uses a refresh token, giving them the temporary token is less bad, but be sure to limit the token to significantly less than the standard five minutes.
The most basic way to do that is to use an endpoint on your local server. Your frontend calls your backend, and the backend calls the service with the token. That works fine.
If you need more performance, you can move on to using a reverse proxy that rewrites the request to include the token.
I don't know your setup, but the node module http-proxy works well, and integrates well with expressJS. If you need serious performance and don't mind standing up another server, nginx in reverse proxy mode is a great way to do it.