Your API key wouldn't be exposed client-side anyways. code from an execute-code card is run server-side- heck the whole bot is run server-side and then streamed to the client browsers.