It seems to support both? First it tries to load the key from a environment variable, and if it cannot, it'll ask for it client-side.

None the less, if you're building a project for others, you most likely don't want the secret key to be public, which it'd be if you embed it in the client-side code.