I should hide the API Key in a plugin?

I am making a very simple plugin to contact OneSignal, a service to send notifications to an android app, when a post is published.

This plugin have no interface, only when a post is published by an admin is called but there are my API Keys of OneSignal showed.

function sendMessage($postTitle, $postLink)
{

 $heading = array(
        "en" => "New post!");

 $content = array(
        "en" => $postTitle);

     $fields = array(
        'app_id' => "MY API KEY",
        'included_segments' => array('All'), 'data' => array("postLink" => "$postLink"), 'contents' => $content, 'headings' => $heading);

$fields = json_encode($fields);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://onesignal.com/api/v1/notifications");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json; charset=utf-8',
                                               'Authorization: Basic MY SECOND API KEY'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($ch, CURLOPT_HEADER, FALSE);
    curl_setopt($ch, CURLOPT_POST, TRUE);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

$response = curl_exec($ch);
    curl_close($ch);

    return $response;
}

As you can see the API KEY are in clear.
I should hide this keys in some way? If yes, how? Please keep in mind this is my first time I “develop” something in WordPress so maybe I make something wrong.

Thank you!

There is nothing you can do to hide the API keys.

If you look at the wp-config.php file, it contains the username and password to access the database in plain text. WordPress doesn’t even try obfuscate them.

If you’re distributing this plugin, another options would be to have the plugin users each obtain an API key, create an options page so that they can input their key, and store the key in the database. Then when you need to use the API, get the option from the database and use their key.