I have a Rails app with a Backbone front-end and I stored my user's Google auth token to reuse it later. From a security standpoint, what is the best way to pass it for use in the Javascript code? So far I came up only with ways that embed it in-page. Is there any safer alternative?
You can use it in js codes. This wont be security threat for your application as long as HTTPS enabled and forced client to use it. Otherwise attackers can obtain your client's api key wiht man-in-the-middle attacks.
Html content only accessible by relevant client who can also see his/her own key from out of your app. But if you thinking about changing API key to another user with client side tampering. You can build proxy api.
CLIENT Request ---> Your API ---> Redirect request to Google
In this scenario you don't need to send API keys to client. You can just get api key from database and build and send request to google drive.