It's up to you. If you have backend service then you have to hide it otherwise it can cause security issue. Even if you are consuming data with GET request only. I would recommend to hide it.
If you don't know about sever side, proxies, serverless then use Cloudflare. Later on, I will show you different ways to hide APIs from client.
As a general rule any configuration value, even if unrelated to security, should be kept off of source control. I would always recommend committing only placeholders. That’s just a good practice that should always be followed.
That being said, allowing the public to learn your space Id and Content Delivery API (CDA) token isn’t a security issue if that space holds only content meant for public consumption. The reasons are:
CDA is read-only. No one can use its token to change your content, so that’s safe.
Content is public in this scenario, so the worst that can happen is someone very technical firing up a REST client and getting it without going through your site - which isn’t very legible, as it’s all JSON payloads
If you’re concerned about the risk of a malicious agent using that token to cause a lot of API calls, remember that the risk is no higher than that agent simply loading your site a lot of times. There’s no measurable security difference.
If your content is meant for consumption only by logged in users, on the other hand (ex: premium content for users only), then we recommend you don’t expose the CDA token and keep it server-side, routing all CDA calls through there instead.
In any case, please always keep placeholders in your public repository and never actual tokens. Like I said, it’s a good practice to follow.
List of resources is shown in the video:
The youtube video which shows storing Access token with .env variable
timing: watch from 10:29
contentful example app
A forum post on Should I keep Access Tokens secret?
site to enter space ID and Access token
Demo website and code which are used in this video