If I build it on the front-end the api key would be exposed, I’d prefer to keep it in the backend
So once the new dashboard will be launched there will be address and method whitelisting. Also you’ll be able to restrict the dapp api key to be called via your domain where the frontend is deployed too. Like it happens currently in mexa-sdk flow.