I'm a developer and want to say that storing API keys in the browser is probably the least secure place to store them. They are sniffable and vulnerable (XSS, or other attacks) by other apps. This software looks amazing but this issue makes this a no go for me until a better solution to API Key storage is found.

If you do store them in the browser, you need to encrypt them first and still need to keep a private encryption key on your own servers. You can also check out some "secure key vault" services that may be able to help you solve this problem.

They should be stored and encrypted on your own servers or you should seek out other solutions, but browser storage is definitely not a secure option.