using NextJS's API to create a middle man between NextJS client and GraphQL API

Hello,

We need your help working on our project.

We have a NextJS app on the front end, and a GraphQL api on the backend that we use with Apollo’s provider & hooks

Problem:
Our API’s secret is used in the queries and mutations on the client side, so anyone can get it and query our API.

We would like to keep using Apollo’s hooks (recoding every query/mutation call would be a huge workload, and we like Apollo’s hooks) but we definitely need a solution to protect our API’s secret.

We were thinking about using NextJS’s API in the middle, as a kind of alias for our GraphQL API, so that clients can query the NextJS API with their session token, and the NextJS API in turn will call the backend API with the secret, behaving like a classic GraphQL API as far as the NextJS client app knows.

Do you know how we could do something like this?

Thank you