Exposing oAuth 2.0 client ID and API key for Google API

Question

Is it fine to expose API Key and oAuth 2.0 client ID in the front end when consuming Google API.

Google Picker.

Answer 1

As per Changes to the Google APIs Terms of Service

Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.

You are required to keep your keys private between yourself and your developers. You must not share them with others

The resons for this can be read here Can I really not ship open source with Client ID?

You are, however, allowing them to “impersonate” you in Google’s eyes. If our abuse systems detect abuse (say, should someone try to DoS one of our services using your key), you run the risk that they would terminate your account because of it (and please note — they wouldn’t just cut access to the key, they would shut down your console account). Moreover, you’ve been granted whitelisted access to APIs that are not available to the general public (and, in all likelihood required agreeing to a separate Terms of Service) and are sharing access to anyone who wants it. There is no doubt that is a violation of those terms. Sorry to not have the answer you are looking for, but keys are the one way we have to tell who is calling our services.

All of that being said there are some instances where it is not possible to keep them private for example using a google api key in Javascript code. The key will always be visible to anyone who chooses to view the source of the site. Google has chosen not to comment to on all of my requests for information as to how best to deal with this.