If a provider key should not be public, the browser should not receive it. A small API proxy can keep credentials server-side while giving the frontend a narrow endpoint to call.

app.get("/api/rates", async (req, res) => {
  const response = await fetch(`${providerUrl}?key=${process.env.API_KEY}`);
  res.json(await response.json());
});

Keep the proxy narrow

Do not mirror the whole third-party API unless the app needs it. A focused endpoint is easier to cache, validate, rate-limit, and monitor.