I have web app with html/js. Integrated Google Picker library for gdrive. In browser dev tools/source code: developerKey, clientId, appId are being exposed. Does that pose any security risk(1) or those can be public? If not, what are possible ways to hide it?
(1) I've limited developerKey in Google Console to be used only for gdrive and nothing else.
There's no security risk because those can't be used to authenticate to your account or get private information, but someone could use your API key to make requests to Google APIs that exposed public information (Google Maps for example) and be charged for those quota expenses. To prevent that quota "theft" you have 2 options:
1) Follow the Google guidelines to restrict your API key to be used only from a specific URL or certain IP addresses.
2) Set up a backend service to authenticate each user in order to get the API key as explained in this answer.