Skip to main content
When working with Muna, it’s crucial to keep your access keys secure, as exposing them can lead to unauthorized use of your services. Depending on the environment you are working in, here are guidelines for securing your access keys.

In the Browser

In browser-based applications, you should never expose your access key directly in your front-end code. Instead, proxy your requests through a backend route that injects the access key securely. Here’s how you can do it:

Create a Frontend Client

In the browser, the Muna client should reference an API route on your backend. For example:
page.tsx
// In your browser code...
const muna = new Muna({ url: "/api/muna" });

Create a Backend Route

On the backend, create an API route that securely handles the access key. For example, if you’re using the Next.js App Router, you can define a route like this:
api/muna/[...segments]/route.ts
import { type NextRequest, NextResponse } from "next/server"

async function handler(
  request: NextRequest,
  { params }: { params: Promise<{ segments: string[] }> }
) {
  try {
    // Build target URL
    const { segments } = await params;
    const path = segments?.join("/") ?? "";
    const targetUrl = new URL(path, `https://api.muna.ai/v1/`);
    targetUrl.search = request.nextUrl.search;
    // Build headers
    const headers = new Headers(request.headers);
    headers.set("Authorization", `Bearer ${process.env.MUNA_ACCESS_KEY}`);
    headers.set("x-forwarded-host", request.headers.get("host") ?? "");
    headers.set(
      "x-forwarded-proto",
      request.headers.get("x-forwarded-proto") ?? request.nextUrl.protocol.replace(":", ""),
    );
    headers.delete("host");           // recompute
    headers.delete("content-length"); // recompute
    // Build request
    const hasBody = !["GET", "HEAD"].includes(request.method.toUpperCase());
    const init: RequestInit & { duplex?: "half" } = {
      method: request.method,
      headers,
      redirect: "manual",
    }
    if (hasBody && request.body) {
      init.body = request.body;
      init.duplex = "half";
    }
    // Request
    const response = await fetch(targetUrl.toString(), init);
    // Respond
    const responseHeaders = new Headers(response.headers);
    responseHeaders.delete("content-length");
    responseHeaders.delete("content-encoding");
    responseHeaders.delete("transfer-encoding");
    responseHeaders.delete("x-middleware-rewrite");
    return new NextResponse(response.body, {
      status: response.status,
      headers: responseHeaders,
    });
  } catch (error) {
    const message = error instanceof Error ? error.message : "Unknown error";
    return Response.json({ errors: [{ message }] }, { status: 500 });
  }
}

export {
  handler as DELETE,
  handler as GET,
  handler as HEAD,
  handler as OPTIONS,
  handler as PATCH,
  handler as POST,
  handler as PUT
};
Make sure to not pass in any inputs when creating a prediction on the backend.
This ensures that the access key is securely stored on your server, while the browser interacts with your backend to make requests.

In Node.js

For Node.js applications, storing your access key in environment variables is a best practice. This keeps the key out of your codebase and secure on your system.

Create a Dotenv File

Create a .env file in the root of your project and store your access key like this:
.env
# Muna
MUNA_ACCESS_KEY="..."
When starting your Node process, you can then reference this .env file: 
# Start your Node process and load the `.env` file
# This requires Node 20.6+
$ node app.js --env-file .env
Finally, make sure that your .env file is never committed to version control by adding it to your .gitignore:
.gitignore
# Exclude environment variables from source control
.env

Create a Muna Client

The Muna client will automatically load the access key from the environment variable when instantiated in your code: 
// Create a Muna client.
const muna = new Muna();

In Unity Engine

In Unity applications, we strongly recommend following the same approach as in the browser: 
// In Unity code...
var muna = new Muna(url: "https://your.company.com/api");
In other cases, simply ensure that your Muna settings for your Unity project are not committed to version control:
.gitignore
# Muna
ProjectSettings/Muna.asset