I signed up for an account and it seems you are showing a code snippet with an API key for client-side code. How do you handle authorization? Can anybody use up my 50k events if they steal the key?
No, that key is verified against your domain connected to your user credentials. Meaning that if someone else uses you key on their website, their POST request to my server will be declined because their domain is not the domain you provided.
But you're right, might be a good idea to change the name of the key or work it out completely, it does look like it could be a vulnerability from an outsiders persepctive.