How do you store an API key (token) client side without the user being able to see/access it?

I am working on a project that is handling sensitive customer information. Obviously security is a high priority.
We have recently created an API that we want to use to be able to access the database to access / modify the data.
What is the best way to store an API token client side? We currently are using the meta tag of the html template file to store the csrf token, but we do not want the API token to be visible.

Here is the code for the csrf token and it works.

 //Capture and store the csrf Token
  useEffect(() => {
    const csrfToken = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
    setToken(csrfToken);
    console.log({sessionToken, csrfToken});
  }, []);

Here is the <head> tag for the index file we are using as a template

<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <meta name="csrf-token" content="{{ csrf_token }}">
  <meta name="api-token" content="{{ request.session.api_token }}">
</head>

This also works, but then the API token is visible if someone inspects the page.

We are using a Django / Python backend and a React front end.
Would this involve the use of cookies? Or does it get more complicated than that?
Any help would be greatly appreciated. Let me know if you need to see any other parts of the code.

I tried adding it to the meta tag, and adding it to session storage. Neither of these options felt correct.

Storing an API key client-side without exposing it to users can be challenging, as client-side code is inherently accessible to users. However, there are some techniques you can use to enhance security. Here are a few options:

Server-side Proxy: Instead of storing the API key directly on the client-side, you can create a server-side proxy that acts as an intermediary between your client and the API. The client sends requests to your server, which then includes the API key in the server-to-server communication with the actual API. This way, the API key remains hidden from the client. I found this on github about this method, maybe it is worth you taking a look at it: https://github.com/eofs/django-rest-framework-proxy

Token-based Authentication: Consider implementing token-based authentication, such as JSON Web Tokens (JWT), where the client exchanges a user-specific token for access to protected resources. The server can generate and manage these tokens, validating them on each request. This approach avoids exposing the API key directly to the client. More about JWT and implementing it with Django Rest Framework here: https://www.freecodecamp.org/news/how-to-use-jwt-and-django-rest-framework-to-get-tokens/

Backend Session Storage: You mentioned using Django as the backend. One option is to store the API key securely in the backend session storage after authenticating the user. The session can be associated with the user's authenticated session, allowing the server to handle API requests on behalf of the user without exposing the API key to the client. See: https://docs.djangoproject.com/en/4.2/topics/http/sessions/

Server-Side Environment Variables: This is a common practice; you can store the API key as an environment variable on the server-side. This way, the key remains hidden from the client code. Your backend code can then access the environment variable and use the key for API requests.

Remember, while these approaches enhance security, there is no foolproof way to completely hide sensitive information from a determined attacker who gains access to the client-side code. Therefore, it's crucial to implement additional security measures like server-side validation, rate limiting, and monitoring to protect sensitive customer information.