Do I need Contentful API key in runtime?

As a DevOps guy, I've got a JavaScript application, that uses Contentful. During the build time I need an API Key to get some pre-compiled static data and save it in an output directory along with the rest of the built code.
This API key seems to be a secret and it is not a problem to keep it safe while building.
But during the run time code is executed in a browser and this key has to be there. Right in hands of a [hostile] user.

Thus, I have two questions:

• Is it a necessity to use an API key in a runtime? Or build time is the last time we use Contentful endpoint?
• Is it safe for us that a user has access to the our API key via browser devtools? Is there any security-sensitive data that Contentful holds and withdraws to those who possess the key?

The question is, what key makes it into the browser. Contentful has various APIs. The main ones are the Content Delivery API, Content Preview API and Content Management API.

The readonly Content Delivery API (CDA) returns already published content. If you're following best practices and didn't put sensitive info into Contentful having it public only counts towards the API limits in case someone queries your publicly available content. Many people use a public key to power their frontends in exactly this way.

The readonly Content Preview API (CPA) returns draft content. While not a massive deal, having a CPA key in public is a little tricky because people could snoop around your unpublished content. Usually, CPA keys are somewhat hidden or gated by a flag to avoid this situation.

The read/write Contentful Management API (CMA) allows you do create/change/update content. People use it to build custom editing UIs or perform content migrations at scale. CMA keys should never make it to the public because they're usually bound to the user's access rights.