The last example on the Angular homepage shows state being saved to a Mongo database using the mongolab API, however the API key is in the JavaScript file and easily viewable by the client. My question is what is the correct way to securely communicate with the server side rest API using Angular?
a pretty standard strategy is to run the API on the same domain as the AngularJS app (to prevent cross domain issues)
so for example the routes for the entire app (backend + frontend) can be:
/ - frontend AngularJS app,
/api - rest API
the next step is authentication and authorization, this can be done with sessions. so when someone is accessing /api you know which user is it and if he is permitted to do so.
just to be clear - don't access Mongo directly from the frontend app, build an API for this.