Hide API Keys from Your Frontend — No Backend Required

If you have ever built a frontend that calls a third-party API, you have faced this problem: the API requires a key, but putting that key in your JavaScript means anyone can see it. The usual fix is to build a backend proxy — a small server that holds the key and forwards requests on your behalf. It works, but now you have a server to write, deploy, and maintain. For many projects, especially prototypes, side projects, and JAMstack sites, that is a lot of overhead for what should be a simple API call. Mongrel.io lets you skip the backend entirely. It acts as a server-side proxy that injects your credentials at request time, so your API keys never appear in your frontend code. The problem in detail Here is what the insecure pattern looks like. You want to call a weather API, so you write something like this: const response = await fetch ( " https://api.weather.example/forecast?city=Sydney " , { headers : { " X-API-Key " : " sk_live_abc123def456 " } }); const data = await response . json