authentication – How to manage API keys

I’m trying to consume a payment processor API (not developed by my), but (being honest) I don’t know anything about security, I don’t understand API keys and authentication, I have multiple questions about API’s that I couldn’t resolve no matter how much research I did, the questions are:

  1. What could happen if someone steal the payment processor API keys? I mean, I know for example that if someone steals your Google API keys he can use Google API charging it to my credit card (there are multiple cases all around the world), but in this case the API keys are used to process the payment, I don’t understand what they can do with my API keys

  2. Where should I store my keys, I’m using React.js CRA as Front-end and PHP as backend, I was making some research and this is what I found:https://medium.com/better-programming/how-to-hide-your-api-keys-c2b952bc07e6

    the post says: “if you wish to totally mask your key, you should make a backend that proxies your requests, and store the API key there”, so at this point my question is should I send the request to my backend then my backend sends a request to payment processor API?.

  3. When developing my own API should I use authentication no matter what I am going to do?, I mean, I know that authentication is for user login functionalities, but, should I use Auth to bring products from a database?

  4. When generating API keys is it safe to store them in a database?

Please try to be gentle I don’t understand security, I’m trying to do my best