YouTube API Key Security - How worried should I be?

Question

I'm getting ready to launch an Angular/Node web application which uses the YouTube V3 API. The app was released about 3 weeks ago as a "beta version" for market validation and was pretty successful in beta. It's not going to be a commercial success, just a fun app that makes peoples lives a little bit easier. I have one issue/concern, should I be hiding my YouTube V3 API key, client id, and scopes? Or can I assume that since only my domain name is whitelisted, that the potential hackers/people who try to use the API key, won't be able to make any calls or do any damage so therefore I have nothing to worry about?

These are the specific calls I'm worried about (not the real ids/keys)

Index.html Script Tag

    var OAUTH2_CLIENT_ID ='_#H#RJHWEJFHEFUIEHFUHEFHEJFU.apps.googleusercontent.com';
    var OAUTH2_SCOPES = ['https://www.googleapis.com/auth/youtube'];

In Angular, Controller.js

    .value('google_api_key', 'jfasdkjfdnstnewurweqjtndi')
    gapi.client.setApiKey(google_api_key);

Answer 1

For Simple Access to Google APIs, API key is the only credential required for the request, and it is a unique identifier of your app/project. It provides API access and is subject to quotas.

You should keep it a secret!

If you have a client-side-only app (without a server), then use OAuth 2.0 Client-side Flow

From Google's Documentation:

Best practices for securely using API keys:

When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To keep your API keys secure, follow these best practices:

• Do not embed API keys directly in code

  API keys that are embedded in code can be accidentally exposed to the public—for example, if you forget to remove the keys from code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree.

• Do not store API keys in files inside your application's source tree

  If you store API keys in files, keep the files outside your application's source tree to help ensure your keys do not end up in your source code control system. This is particularly important if you use a public source code management system such as GitHub.

• Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them

  By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the Google Developers Console by opening the Credentials page and then either creating a new API key with the settings you want, or editing the settings of an API key.

• Delete unneeded API keys

  To minimize your exposure to attack, delete any API keys that you no longer need.

• Regenerate your API keys periodically

  You can regenerate API keys from the Google Developers Console by opening the Credentials page and clicking Regenerate key for each key. Then, update your applications to use the newly-generated keys. Your old keys will continue to work for 24 hours after you generate replacement keys.

• Review your code before publicly releasing it

  Ensure that your code does not contain API keys or any other private information before you make your code publicly available.