diff --git a/api/introduction.mdx b/api/introduction.mdx
index a163fdebf..28a44b230 100644
--- a/api/introduction.mdx
+++ b/api/introduction.mdx
@@ -51,6 +51,12 @@ The admin API key is a server-side secret. Do not expose it in client-side code.
 
 ### Assistant API key
 
+<Warning>
+  Do not directly embed the assistant API key in client-side code. Any visitor who extracts the key can send requests on your behalf, consuming credits and potentially triggering overage charges.
+
+  For production deployments, proxy assistant API requests through your own backend and store the key as a server-side environment variable. Routing requests through a proxy also lets you add rate limiting, authentication, and bot protection to prevent abuse.
+</Warning>
+
 Use the assistant API key to authenticate requests to [Create assistant message](/api/assistant/create-assistant-message-v2), [Search documentation](/api/assistant/search), and [Get page content](/api/assistant/get-page-content) endpoints.
 
 Assistant API keys begin with the `mint_dsc_` prefix.