Our Symbl APIs can be called directly from the browser, however, it’s not a recommended way to do so in production.
The main reason why we don’t recommend this practice is that it ends up exposing your appId and appSecret in the browser, as they are required to generate the auth token.
But, if you’re making sure that the token generation mechanism is moved away from your web app and is securely handled in your back end service which can deliver the token to your web app securely, then it should be all right.
Ideally, we recommend that you use a Web Proxy server of your own deployed under your domain so that it ensures that the API calls are made from your trusted domain.