How to send API key to SPA securely?

There is no way to do this 100% save because everyone can open the developer console and inspect the code. The only workaround you have is using your backend in between. So, for example, do the API request to Google through your own backend and send the results back to the frontend. This is, however, a bit slower.

In general, you don't have to hide the API keys from google because they should whitelist certain domains from where they can fire the request. This way if you use the key on another domain, it wouldn't work. If there are problems with the key you can always refresh the key as a last solution.

This might be interested for you as well: http://billpatrianakos.me/blog/2016/02/15/securing-api-keys-in-a-javascript-single-page-app/

Thanks, so with google it's fine but I want also to secure my own api. So for this I presume I should generate key/token valid only for frontend subdomain... Any thoughts?

Use CORS, Laravel 7 ships with it. Or create your custom middleware that will use any logic you want... check headers, referer etc. https://laravel.com/docs/7.x/middleware#introduction