Do I need to keep the auth-key hidden and protected?

Yes. Treat the auth key as you would treat a password and follow best-practice security for it.