Hi, welcome to the community.
Yes, generally speaking you would not disclose your API keys. In this case, however, you’re learning how to build the various components and link them all together - you’re not building an app for public consumption.
In production, it would most likely be your back-end which handled retrieving the data from the API and passing it to the front-end (the Wanderlust app).
Got it, thanks for taking the time to explain it for me!