Is it safe to expose sendgrid api key to frontend

[sagarPakhrin]

I was going through the docs to send email with react and sendgrid and I noticed

sendgrid.setApiKey(process.env.SENDGRID_API_KEY);

As far as I know during the build, the api key will be bundled and expose to the browser.
Now my questions is, is it safe to expose the api key to the frontend?
Anybody who can gain access to the api key can easily take it and spam the sendgrid contacts right?
Or is it ok?

[jinsley8]

No don't use it in client unless Sendgrid allows you to whitelist your hosting IP or domain.

[bukinoshita]

I was going through the docs to send email with react and sendgrid and I noticed

sendgrid.setApiKey(process.env.SENDGRID_API_KEY);

As far as I know during the build, the api key will be bundled and expose to the browser. Now my questions is, is it safe to expose the api key to the frontend? Anybody who can gain access to the api key can easily take it and spam the sendgrid contacts right? Or is it ok?

Yeah, use it in the server to not expose your API Key

[paymog]

What's the pattern for using this package purely on the backend where it's safe to expose a sendgrid client? It seems that using react/jsx/tsx files in a node backend isn't well supported. Is there a pattern we can follow to use this package in a nodejs backend?