I'm new-ish to web development. Setting up a hobby website for weather forecasting. I have an API key to make 'GET' requests from a forecasting service (openweathermap). I know I don't want to expose this key to the public. So my current plan is to have the user select their location by text input, a client side JavaScript function sends this info to a server side Perl script which makes the 'GET+key' request to the forecasting service. The Perl script returns the forecast data to the client side JavaScript for display on the page.
Since the API key is stored in the server side script, I assume it is not visible to the public. Is this true and is my above approach good to use?
On the server, the client should not be able to see it. However, there are various things that you might do that could expose it. Use proper transport security (so, HTTPS, whatever), be careful with the output of error messages, store it somewhere away from the prying eyes of others, and so on.
Look into various ways to manage secrets. Some of these make it so you don't even know what the API key is.