In general, we recommend a three-tier architecture (browser -> app server -> API) for any applications you build. This would be our recommendation whether you're using Cloud CMS or anyone else. There are a few good reasons:
- The browser is an insecure runtime. Exposing any API keys within the browser is a very big security hole. Even exposing credentials within the browser (such as within a cookie) for the sake of working around this is also not recommended since hackers can siphon off the credentials from those cooking using CSRF attacks.
- Conversely, opening up general "anonymous access" means that the API is taking on request-time load. You definitely don't want to do that since you need to be able to scale the handling of requests to user load. An application server is ideal for that as it can perform server-side caching and provide CDN compatibility.
- Often you want finer control over the URL structure for SEO purposes. Referencing things via our API involves GUIDs and other important ID information that is not only non-SEO friendly but also insecure to reveal to the outside world if you can help it.
Here is our developers page that describes this in a bit more detail: