If you’ve recently vibe-coded and exported a Gemini-powered app from Google AI Studio to host it online on Google Cloud Run, you might have noticed a server/ directory containing a Node.js application. This isn’t just a simple file server; it’s a clever “transparent proxy” designed to solve a classic problem in frontend AI development:

How do I use my API key without leaking it to the browser?

In this post (although vibe-coding is supposed to be all about not looking at the code at all) we’ll dissect exactly how this architecture works, why it’s safer than a client-side key, and where its security limits lie.