Hey, friends. I've developed a few JS elements (flashcards, quizzes, etc) that are to be used in courses just for self-checks. There have been requests for these interactions to be also recorded into the gradebook, so that means I need to use the API.

• I'm going to be checking things in our instance, so I need a secure way to use an API Key without having it directly in the JS for obvious reasons. We're cloud-hosted, and I'm just starting with this. 
• We're going to be passing our JS to other institutions when we deliver courses we have developed for them. So I also need instructions on the best way for them to handle their API keys securely. I don't mind giving them a separate version of the code if need be.
• All JS is applied in the Theme Editor with the custom CSS. This is vanilla JS, no React.

I started researching this and got quickly overwhelmed with answers that kinda seemed to be the right track, only to discover that it does not apply to my situation. I'm happy to do the reading if somebody can point me in the direction of the appropriate approach(es) for my situation.

Thanks in advance, I appreciate your help.

Nat