Should the Auth token and/or client ID be secret?

Thanks!
So I can hardcode the client id, correct? (To regenerate the token after the 60 days)