I'm looking to implement an address checker on a single HubSpot forms field. To do this, I am currently using the NZPost API to make dropdown suggestions and lookups. I have a working prototype on my own machine, however I have found a bit of a flaw with the implementation.
Everytime the user makes a request, they can easily see what the client id and secret is from any web inspector. I don't want anyone coming to this site, picking this up, and abusing the max request limit with these parameters, so I'm wondering if there is a way of hiding the client id and secret from users, whilst still being able to make requests. Is this possible?
It's not ever secure to include private authentication details (e.g. API key, client secret, etc.) in a frontend application. Doing so will always expose these details in one form or another. What you'll need to do is proxy the requests from your frontend Javascript through a server that can process the request and make authenticated requests to this 3rd party service.