The site key is visible explicitly in the embed js and hence can be used/abused by others having no relation to the site. So there must be some way to hide the key

That's a pretty common paradigm for JavaScript embeds - comment systems, analytics, Twitter and Facebook widgets, etc. all do the same thing. Disqus gets around this by allowing you to specify a whitelist of domains that are allowed to post comments, which Juvia could easily do as well (submit a pull request!). Basically unless you want to write a Juvia proxy that you control, and handle all of the Juvia API stuff server-side, yeah, your key is going to be visible in the embed JavaScript.

What codykrieger said. We have to expose some identifier for this to work. So yeah, it can be abused in the form of having the comments embeddable on another site, but why exactly do you worry about it? Even if you build a whitelist system, if an attacker really wants to screw you he can just write a proxy talks to your server.

Is it possible to set and use a same domain/subdomain origin policy? I've heard about these words somewhere, not sure if they are relevant and applicable here, so just asking