I'm confused: what exactly is the problem here?<p>Google APIs are designed [1] to be accessed on behalf of a Google account holder by client-side code without any server component being involved. The client-side code does <i>not</i> use client_secret, only client_id. There isn't any secret key to steal from the code.<p>[1] <a href="https://developers.google.com/accounts/docs/OAuth2UserAgent" rel="nofollow">https://developers.google.com/accounts/docs/OAuth2UserAgent</a>