This isn’t a restriction specific to Discourse - in general it is a bad idea to include admin credentials in the source code of a website.
If you can make the Discourse API call from your node.js server, that would probably be the best solution. If you need your application to be purely client-side, then requesting user-specific api keys is an option, although their setup is a lot more complex: User API keys specification