What's the best method for hiding private API tokens/keys when developing webOS (Enyo and/or Mojo) apps?

The only solution I see is to create a proxy on a server and have all requests that need a key pass through there. Is this the correct way to go about it?

I just want to make sure I'm thinking in the right direction. I have researched all over online, but I don't think any other platforms have this issue.

Also, if a proxy is the best solution.. does anyone have any tips/resources/words of advice. I'm new to this scene so I'm still trying to understand things like making sure a proxy can distinguish my app from any malicious traffic. I was looking into node.jsjsjs $for$ $the$ $proxy$ $as$ $well$.