I find it confusing that when i first tried the google api in a php environment, it required me to use a "client secret" key which i got via the api console. In the Javascript api examples is no such key needed, and I understand that if it would be there, the code would no longer be secret.
Is there any reason why google still requires the key in php code? Are there differents between the JS and PHP api, are there things that can only be done in PHP?
The OAuth2 specification distinguishes client types and provides different workflows for them.
Normally the specification suggests the full-fledged "authorization code grant" scenario. As your PHP applications runs on a web server that is remote from the end user, the PHP application can protect its client secret from the world.
Contrary, embedded clients (like applications running on your phone or javascript in your browser) cannot protect the client secret because of their environment is easily accessible from the outside. So the specification has the completely different "implicit grant" scenario that does not require usage of client secrets.