I’m trying to figure out the best way to call an external API (hosted on my server) while hiding the API key.
Of course, I can just add the API key in the package, but the user can easily open the .xpi file and see the key. I can also force the user to create an account and sign in, but I’d like it to just work “out of the box”.
Alternatively, would there be a better way to ensure that only Thunderbird users using my addon have access to the API (to avoid abuse)?