If you're making requests to the /link-token endpoint, it should be hit from your backend, not frontend.

Generally, if a request requires your Merge API key, it should not come from your frontend because it would expose the API key to your users.

Did this answer your question?