Hi @Kawwl 
You are correct 
All calls made with the REST API plugin our made client-side and should NOT contain any secret API key.
If you use our OpenAI plugin, then your secret key and prompts configured in the plugin will be kept private.
You may think that because you read it in our user docs article on the OpenAI plugin
In any case, calling OpenAI directly from your backend is also an option as @Broberto mentioned!
Since you’re familiar with Xano, you might enjoy this live stream @Quentin and @Locky did together on how to build a chatGPT clone with Xano and WeWeb.