embedding api key in public page is a security risk

[fabiolecca]

if I publish the widget with url and API key, I can use the api key included in the widget page to go to the /settings/ endpoint and read out the OpenAI API keys.

[zAlweNy26]

You are totally right, we are planning to add some sort of security layer.
I'll tag @pieroit for better response

[pieroit]

@fabiolecca do you have a suggestion on how to improve this?

A fully fledged user and auth system is out of scope for the project, but agree we should give more security.