Well the clue seems to be in the name, it's got 'public_key' so that's a deliberate choice. The choice of word 'exposed' makes it sound like it wasn't meant to be seen, but I'm not so sure.
The issue is more likely the signature parameter, which does require a secret key, the documentation does not show it as required. Is that what the author is interpreting as "I noticed that for uploading an image you only need a public key."?
> signature
> string
> signature is a string sent along with your upload request. It requires your Uploadcare project Secret key and it should be generated on your back end. See Secure Uploads for details.
I looked at several uploadcare repos including Swift and Java, and I can see a signature being generated.
The issue is more likely the signature parameter, which does require a secret key, the documentation does not show it as required. Is that what the author is interpreting as "I noticed that for uploading an image you only need a public key."?
> signature
> string
> signature is a string sent along with your upload request. It requires your Uploadcare project Secret key and it should be generated on your back end. See Secure Uploads for details.
I looked at several uploadcare repos including Swift and Java, and I can see a signature being generated.