Okay, so this question has been up for a while, and there are a bunch of good answers here that haven't been accepted, so I'll just throw in my two cents and see if it it helps.

If *your* credentials are going out with your javascript, they can't be kept secret.

However, if your credentials are stored on the server, you *can* keep them secret, by having a server side function use them. 

In this way, you can examine the incoming request from JS using your server side function, and determine if it's legitimate. If it is legit, you can pass it through to the rest API using your credentials, and if your, send back an error message. 

That's how I would do it, anyway.

Hope that helps.