What is the appropriate way to manage API secrets within a Google Apps script?

If I write a google apps script, and within the script I need to invoke third party APIs or make database calls, what is the appropriate way of managing secret API keys and passwords?

Is there any risk in placing the secrets directly within the script if I publish the script as an API but don't share access to the Google Drive location that contains the Google Apps script

There is no right or wrong answer. There are numerous factors to consider:

• If this is for/in G-Suite, then your G-Suite admins'll have (or can get) access to anything. This may or may not be an issue.
• If you put the data in a sheet, anyone that has read access to the sheet can see the data.
• You can use PropertiesService but then folks can access as explained in the documentation. User properties is one way but may not work in all use-cases -- like if another user is executing the code. You could use installable triggers if that is do-able for your use-case.
• If folks need to be able to make the API call with your key, you could write a proxy web-app that they can call but not see source for.