diff --git a/.gitignore b/.gitignore
index 7086f64..4635804 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,7 @@ config.toml
 .DS_Store
 DEBIAN/
 usr/
+oauth-secrets.json
+secrets/
+*.secret
+.env
diff --git a/docs/ANTIGRAVITY.md b/docs/ANTIGRAVITY.md
index 136148d..ad7b464 100644
--- a/docs/ANTIGRAVITY.md
+++ b/docs/ANTIGRAVITY.md
@@ -69,8 +69,7 @@ For regular Gemini CLI OAuth, only `cloudcode-pa.googleapis.com` is used.
 
 ### 4.1 OAuth Flow
 
-- **Client ID**: `REDACTED_ANTIGRAVITY_CLIENT_ID_2`
-  (also `REDACTED_ANTIGRAVITY_CLIENT_ID`)
+- **Client IDs**: Stored locally in `~/.config/codex-launcher/oauth-secrets.json` (not in repo)
 - **OAuth callback**: `https://antigravity.google/oauth-callback`
 - **Token storage**: `~/.cache/codex-proxy/google-antigravity-oauth-token.json`
 - **Token refresh**: via `https://oauth2.googleapis.com/token`
diff --git a/src/codex-launcher-gui b/src/codex-launcher-gui
index 49e8a9e..e0b8292 100755
--- a/src/codex-launcher-gui
+++ b/src/codex-launcher-gui
@@ -3273,9 +3273,17 @@ class EditEndpointDialog(Gtk.Dialog):
         is_antigravity = oauth_provider == "google-antigravity"
         token_path = os.path.expanduser("~/.cache/codex-proxy/google-antigravity-oauth-token.json" if is_antigravity else "~/.cache/codex-proxy/google-cli-oauth-token.json")
 
+        _oauth_secrets_path = os.path.expanduser("~/.config/codex-launcher/oauth-secrets.json")
+        try:
+            with open(_oauth_secrets_path) as _f:
+                _oauth_secrets = json.load(_f)
+        except Exception:
+            _oauth_secrets = {}
+
         if is_antigravity:
-            CLIENT_ID = "REDACTED_ANTIGRAVITY_CLIENT_ID"
-            CLIENT_SECRET = "REDACTED_ANTIGRAVITY_SECRET"
+            _sec = _oauth_secrets.get("antigravity", {})
+            CLIENT_ID = _sec.get("client_id", "")
+            CLIENT_SECRET = _sec.get("client_secret", "")
             SCOPES = [
                 "https://www.googleapis.com/auth/cloud-platform",
                 "https://www.googleapis.com/auth/userinfo.email",
@@ -3288,8 +3296,9 @@ class EditEndpointDialog(Gtk.Dialog):
             callback_path = "/oauth-callback"
             provider_kind = "antigravity"
         else:
-            CLIENT_ID = "REDACTED_GEMINI_CLI_CLIENT_ID"
-            CLIENT_SECRET = "REDACTED_GEMINI_CLI_SECRET"
+            _sec = _oauth_secrets.get("gemini_cli", {})
+            CLIENT_ID = _sec.get("client_id", "")
+            CLIENT_SECRET = _sec.get("client_secret", "")
             SCOPES = [
                 "https://www.googleapis.com/auth/cloud-platform",
                 "https://www.googleapis.com/auth/userinfo.email",