API Key Security

I am creating a Web app with NextJS. Is it safe to set the API key as a NextJS public environment variable and turning on domain whitelisting or does Tomtom recommend another method?

I plan on using the search api

If you have a backend then you can have two API keys. One for Map tiles only (with domain whitelisting set), which will be used at frontend to show a map. Second for Search API to be used at backend.