[littlecranky67]

Not if its publicly called from Javascript, as your user's browser will make those requests. You neither know their IP addresses, nor is the referer or origin header a safe choice as it can be spoofed outside of a browser.

[lucavice]

If it's called from Javascript in the browser, it's not a secret API key....

[shakna]

Which is why Google calls it a public API key...

[littlecranky67]

there are plenty of API keys distributed like this by design. For example, google maps requires this, else your (anonymous) users can't use an embedded google map on your website. And a public firebase app needs some kind of API key, too.