I can see that the API can be consumed in two ways:
* Backend with the API key hidden and setting IPs.
Generally speaking, is there a recommendation for which to opt for if it makes little to no difference for me and the application where the request is made?
Currently, I'm just doing it in the backend since I felt like making a FOSS Java wrap anyway, and prefer the idea of keeping the API key hidden if the requirements allow for it, plus might avoid users from making manual requests for other companies/officers via the browser dev tools using my API key.
The only things that I think goes for client side would be it'd finish the request a little faster since it's made directly rather than being proxies through the backend, plus if the backend is down for whatever reasons it'd break on the frontend?