Secure Branch Key in Web SDK

[idalv]

According to the documentation the only way to use the Web SDK is to call init and pass the Branch key when doing the call. Doing that makes the key accessible by the web clients. And since I could not find any other validation - like white-listing the domains or anything else - one could easily take the key and at least:

1. use $desktop_url when creating a link with .link (I tried that) or any other $xxx_url to navigate to his/her or any random site.
2. And if this is not very worthy, he/she could just generate a lot of MAUs and bump the key owner's bill.

I just started looking at the Branch service yesterday so probably I am missing something? However the first use case can be easily tried with the key from your sample app on https://cdn.branch.io/

[Walidhossain010]

what do you mean by MAUS?