Metamask has their own method for using services in a dapp that require authority. However, I find it pretty unsafe. It took around 1 hour for me to figure out the
When you check the source code, you can't see the hard-coded api keys. They use environment variable instead, and provide it from the builder machine. So the key must be inside of the build files.
In Metamask's browser extension, all the magic happens in the
background.js which runs like a background worker. So you can't track the network on dev-tools if you don't have
background.html page opened.