I have a functioning WASM (Blazor) SPA and I want to add payments to it. Obviously this requires the use of secure API keys and so I don't think they should be stored in the App itself..
I am debating with myself and have a couple of choices. I can:
a. Run the payment process on a (say) Razor Page on the server and somehow, get the result back to the client. or
b. run the payment (JS drop-in) on the client, but go and get the API keys from the server as they are being used and delete them afterwards.
I am favouring b. but wondering if that is going to open up some massive security hole I am not aware of?
If I use a. I can get to a razor page on the server ok. But I think that will lose the application flow and not be a great user experience.
Which approach should I use? Thanks in advance