API and Proxy Routes
The browser never talks directly to the protected control plane. All communication is proxied through server routes owned by the website.
Why this matters
- Secrets stay on the server.
- Rate limiting can be enforced at the web edge.
- Response shapes can be normalized for the UI.
This pattern makes the public product safer to operate and easier to evolve.