You are putting your system API key in client side code? 
This means that anyone can grab it from your Javascript code and use it to completely own your forum.
Any Ajax HTTP requests to Discourse should be leveraging an existing session, or not be needing a session at all.