In requests straight from javascript in the frontend, the consumer app server would be bypassed. In this case the key will be visible in the javascript source.

So supporting direct javascript requests will be more involved. One reference implementation is Stripe publishable keys

Originally posted in #2 (comment)

Phoenix has built-in token generation: https://hexdocs.pm/phoenix/Phoenix.Token.html

Thread on token auth with elixir: https://elixirforum.com/t/is-there-any-recommended-way-of-doing-api-authentication/5954/5