I am doing my own project which is pulling data from an external API (NASA in this case). I have done a couple of the React projects (Ravenous and Jammming) where the front-end was directly accessing the API. This seems to be set up fine in Jammming using the Implicit Grant Flow although the code was a little trickier than basic AJAX request. However, in Ravenous the apiKey is stored in the React components and seems like it would be exposed if that site was published. So I am thinking that this is fine for a practice project running locally but not the best set-up if something similar was to go live.
My limited research tells me that I should probably do a small back-end express server to keep private key and call API when requested. And then have my react-app get the data from the back-end. Is this the correct approach?