I know it's an important feature, but it also brings with it a big security problem, if an attacker manages to obtain one of your secret keys and obtains the complete list of subscribed users, they could, with that information, attack the entire project. It is important that the API key that will have contact with the client (app, js, ect,) only have read permission.