Gmail OAuth client_id is not a secret â design notes for self-host Actors
A DEV Community article clarifies that Gmail OAuth client_id is not a secret and should not be treated as one, especially in self-hosted Actor scenarios. The author argues that client_id is an application identifier that appears in front-end code, request URLs, and logs, making it impossible to hide. Hiding it does not improve security and can distract from the real attack surface: protecting tokens, client_secret (if used), and the overall authorization exchange boundary. The key question is whether an attacker knowing the client_id can complete an authorization exchange or obtain a valid token; if not, the design is sound. For self-hosted Actors, security depends on flow integrity rather than a single secret value. The article was published on May 16, 2026.
Misunderstanding OAuth client_id as a secret can lead to false security and neglect of token protection.