everyone. I'm recently learning OAuth authentication. I'm playing around with google's oauth api. In the tutorial for Google Sign-In for server-side apps, in the third step - Initialize the GoogleAuth object, you need to provide the client id to initialize the GoogleAuth object. I'm just wondering if we need to keep the client id secret because right now anyone can find out what the client id is by looking into the javascript.

You don't need to hide the client ID, provided that you restricted access to specific JavaScript origins and redirect URI's on the server side. See more details on this Quora thread or this IETF thread.