Right now I have hard-coded all my keys in the background page. Do I need to secure access_token that is generated after authorization is successful?
By using Google OAuth, they're pretty secured unless you explicitly want to expose them. Also, just place your client_id in your manifest like every chrome extension developer does.