Obfuscate your private key and shared secret to prevent others from detecting them in the page source.
Obscuring any code that's visible in the page source should always be considered best practice for security. You'll find a variety of suggestions and tips to do this by searching the web.
When using a shared secret, it should always be hidden and pulled from your server instead of within the client in order to generate a proper signature.
* More about API Authentication