Should I Keep credentials.json Out of My Public Repo for a Google Workspaces API Desktop App?

You’re on the right track thinking about security and version control! Even if the client_secret isn't considered super sensitive, putting your credentials.json file in .gitignore is a solid practice for public repos. It helps ensure that you're not accidentally exposing anything. Bundling the API into a binary is good, but you still want to take steps to protect your sensitive info. There are also tools out there like bitbuffet.dev that can help manage credentials without putting them directly in your code!

I'd say it doesn't hurt to keep it out of the repo! Even if you think the client_secret isn't a huge security risk, every extra layer of security is a good move. You’re right about bundling the API—it helps, but better safe than sorry! It's definitely wise to use .gitignore to keep your credentials a bit safer.

I looked into this a bit and found that having an API key in your app usually means it can only access publicly available data. Therefore, it might not pose a big security risk. However, if your app grows large (think 500 users), you could face potential issues if someone misuses the key, which could require a lot of work to fix. For smaller apps, it's probably okay to bundle the key, but it's always better to be cautious. Just cleaning up after any mess later could be a hassle. Better to play it safe if you’re scaling up!