1. Hardcoding the API key on the client.
This is a big NO NO because you can easily find someone's key by searching the app binary... here's what that looks like:
2. Storing or obfuscation keys in CloudKit, config files, or plists.
Many think this is safe but the reality is it's just as insecure as hardcoding cuz your key still winds up in the network requests to OpenAl. With a simple MITM attack you can get someone's key like this:
3. Not monitoring and protecting your endpoints.
Even if you build your own proxy using something like Cloudflare, your endpoint can still be abused and end up costing you 💵. You need additional security on top of the proxy to prevent endpoint abuse.