License key "premium-embedding-token" is visible to users

Describe the bug:
The premium-embedding-token license key is visible to users.
The key can be copied and entered on any installations, and the owners of the key will have to pay users.
At the same time, there is no way to find out where the key was used or block the use of the key by hostnames and IP addresses.

To reproduce:
The key can be seen in the responses of the API endpoint /api/session/properties in the browser.
This endpoint is executed when any public Metabase page is opened (see the screenshot below).

  1. Open any public Metabase page, open the Developer's Tools in the browser, and the Network tab.
  2. In the response body for the /api/session/properties endpoint, find the premium-embedding-token.

Expected behavior:

  1. The premium-embedding-token key is returned encrypted.
  2. Restriction of key usage by hostnames and IP addresses.
  3. It is possible to see the IP addresses and hostnames where the key was used.

Currently, it is possible to hide the key in the /admin/settings/license interface by using Environment variables, but it doesn't affect the /api/session/properties endpoint.
This is probably the main bug that can be fixed promptly.

This only happens because you’re an admin. Unauthenticated api calls don’t see that

Also, I think that in recent versions we also hid this from the admins as well

@Luiggi, thank you for your answer. The "Administrator" access level is necessary for developers' work, and there are many developers on the team, so they can change. Therefore, it is important that only the owner of the key can see it.

Also, I think that in recent versions we also hid this from the admins as well

Updated to the latest version 1.50.26, the premium-embedding-token key is not returned via API. Thank you!