The xumm API can be called using an API Key and API Secret, which can be obtained from the Developer Console: https://apps.xumm.dev/
The xumm API is designed to be called from a server to server (backend) environment. Always send requests from your application frontend to your own application_backend**, and call the xumm API** from your application backend.
The API Key and API Secret are sent to the xumm API using HTTP headers. See: https://docs.xumm.dev/concepts/payloads-sign-requests
Anyone in possession of your
X-API-Secretcan create payloads (sign requests) on behalf of your application. If abused, this can greatly damage the reputation of your application. Please, never implement the xumm API in a scenario where calls are made from the client side. Only call the xumm API from your application backend, keeping your API secret safe on the server side.