As to your questions.
1. API key
The API key for a backend application is required for personalizing all client-side requests to the Backend Services' API for a given application. It is intended to be used in the client app and is included in all API requests. All endpoints to a backend data store are constructed with the API key as one of the segments.
Nevertheless, anyone knowing your API key will not be authorized to read data from the app's backend if the permissions for the content types are properly set up.
2. User credentials
The described code snippet is used to login a user in your app with the provided username and password which are subsequently verified by the server and in case of successful authentication are exchanged for an access token. It is also intended to reside in the client app.
You can store the token / credentials for further use in the local storage or a cookie, in the case of web apps, on the user's machine but a good practice is to ask for the user's permission to store the credentials.
What you need to ensure further is:
- The MasterKey for a project is never exposed client-side and to any third party. In general, operations that include master key should be done only by you or performed in the Cloud Code layer for enforcing additional security or for performing some business logic operations.
- The content types in the backend project have the appropriate permissions set up. Content types in Backend Services are created with default permissions and developers need always to verify that the type of the permissions matches their scenario.
Thus, you can be sure that the authentication for a request will be based on the currently logged user's permissions (role-based security), and on the permissions for a content type (type-level permissions). In addition, you can specify item-level permissions for a more refined access to the data.
Continuing on this, you can experiment with the permissions for a certain content type and explore the behavior of the quoted endpoint. For example, you can specify a predefined security policy or pick up Role-Based from the drop down menu and arrange a really flexible security strategy.
Moreover, you can create new roles and assign users in roles, so that you have a solid control over the data access.
Here is the starting point in regard to security from our documentation: Features > Security > Introduction.
Please, let us know if you have further questions, we will be happy to help.