[Best Practices] How to securely call external APIs from <script>?

Hi everyone,

I am trying to send API calls from a Webflow form’s data to various endpoints. The code currently works, but one of the endpoint URLs and bearer token is exposed.

This seems like a super common task and I’m wondering if there are existing best practices for how to handle this type of situation?

Read-only link.

Thanks in advance!


Yes. Use middleware to ensure you are not displaying credentials.

1 Like

Awesome! When you say middleware, can you be more specific? Do you mean tools like Zapier, Make, Pipedream, etc?

Those qualify and are low/no-code.

Great - thanks @webdev!

How would you secure the front end added endpoints/webhooks to Make/Zapier though? Wouldn’t anyone be able to grab those and use those just as well?

@SiavashVJ - If you needed to protect a webhook URL you could easily set up a reverse proxy that only allowed a certain referrer to post to a secret endpoint. You could also check for a value before running some steps.

can you please provide some steps, or any third party