Hi,

Thanks for this nice library! very easy to use!
I found out although I put my api key and sheet id in .env file, after I deploy my app, user can see the requested url in the network tab in browser console, which contains the api key and sheet id...
I am not sure though, do you think we can use post request or some other way to secret the url?

Thanks again!

Hi, you are correct, this is the way Google API is working right now when using client-side auth. First of all, restrict your key to only being used from whitelisted domains and don't use the same key that you are using elsewhere. Google Sheet itself should be only with view rights as default. For a more secure way, this library can't be used and should be done in the backend.