Aye, which is why putting your administrative credentials in client-side JavaScript is an unspeakably bad idea.
Instead, serve {client,user}-specific keys from the server on request, or let the user generate them through a signin process in the frontend, say by using the _users database that CouchDB and Cloudant allow.
Yes. But it is demo code, meaning that the use case isn't production, it's education. And the UX of education is a lot worse when you have to begin by saying, "this will look different from yours" and "here's a whole extra layer of complication I'm going to introduce, but don't worry it's a best practice."
Exactly, the username / password combination is most certainly to make life simpler for a demo, would never expect someone to do that in real code.
I plan on extending the getting started tutorial with an extention that does a database oer user when logged in (via persona), it actually wont make the tutorial much more complex and gets very close to what it should look like in production (https://github.com/daleharvey/couch-persona)
Instead, serve {client,user}-specific keys from the server on request, or let the user generate them through a signin process in the frontend, say by using the _users database that CouchDB and Cloudant allow.