There are two options to protect your server side code:
- Publish an Add-on that the client must install to a Google document (Form, Sheet, Doc) An "editor" add-on.
- Add your Apps Script code as a library to their Apps Script file
If the client will have the Apps Script file in their Drive, then a library can (sort of) hide your code by having their Apps Script file run code from an Apps Script file in your account, where your Apps Script file is added to the clients Apps Script file as a "library."
An add-on can't be published to a Web App.