I’ve found other similar questions saying that the API keys in plasmic.json are intended to be public. I’d rather hide these, but out of interest I’d like to know what can be done with this info? Does this mean another user could effectively clone or access a project? Documentation doesn’t seem to cover this
Any idea? Need to start a new repo and want to get it right 
The API key is used to allow syncing your project. There is currently no default way to hide these values from plasmic.json but it would be possible with some pre-commit hook that removes it. If the API key is not available, it will try using your .plasmic.auth configuration.