3. Yes it’s an anti-pattern to check from the front end as you would need to give your secret key to the client in the browser, which the user could compromise