and kinda weird but not unexpected on second thought to see my API key in there

If your data is anyway public, then it's ok to expose your Search API keys publicly. More info here: https://typesense.org/docs/guide/data-access-control.html#exposing-api-keys-to-your-frontend If you need access control for individual records, you want to use a Scoped Search API key that is generated on the backend, pass it to the FE and make calls with that