Is the project ID and OAuth client ID considered sensitive?

[Olivia Zoe]

if either the project ID or OAuth client ID is leaked or otherwise posted online, are these considered sensitive enough on their own to warrant removal?

I've found some references online that, with typically no or a very, very weak justification, claim it's PII. One of these sources states:

> “Project IDs are PII per se, but they are also useful [for] finding resources, such as App Engine apps or Container Registry images that may not have been properly secured.”

([source](https://portswigger.net/daily-swig/google-cloud-api-bug-leaks-private-project-information))

I haven't found any similar claims on the OAuth client ID, but I've seen it removed several times from posts on Stack Overflow with similar claims (but nearly never by the asker themselves), and its general usage, at least to me, makes it seem unlikely that it's actually classified as sensitive.

And like I said, there's lots of sources that eagerly label the project ID PII, but with very, very weak arguments. The [page indicating how to find it](https://support.google.com/googleapi/answer/7014113?hl=en) also doesn't mention anything about it being sensitive. [This page](https://cloud.google.com/storage/docs/reference/libraries) even states:

> Most of the time, you do not need to specify a project when performing actions in Cloud Storage; however you should include either the project ID or the project number in the following cases: [...]

Which indicates that it does have some uses where it's actually published, and consequently, is public to the internet.

So, does it matter if either ID gets published on the internet? I'm also primarily looking for sourced statements directly from Google to support any answers to this, if such a source exists exists (I'll count google employees replying to this as a source as well, for the record)

[Jhumkara P]

Hi Olivia,

I am Jhumkara. Yes, this can be shared outside for others to know about the topic. I think we can share it.