Hello @Ankit,
The way we do it is pretty standard for content management systems. Having a public key visible in API requests on the client is standard, as well as being able to fetch content with that API key. That being said, if you want to lock everything down, you can choose to make all your models private. In that case, you would need to fetch all data from the server using a private API key. Here is a forum post that talks about how to do that