Is this a security concern?

[thomas-frantz]

In your demo you instantiate Pusher using the application's key, is this not supposed to be kept secret? This effectively exposes it to the browser.

var pusher = new Pusher('{{Config::get('pusher.appKey')}}');

https://github.com/cmgmyr/laravel-messenger-pusher-demo/blob/master/resources/views/app.blade.php#L70

This is a demo, but it doesn't seem like a good idea to encourage this, depending on what the user does with the key.

[thomas-frantz]

Ah, ignore me. I didn't see "pusher.appKey", I thought it was just the app key

My bad