Hi there,
Yes, you should check in all of the changed files, including the .sonarlint folder.
The profile key isn’t an auth token - it’s the identifier for the Quality Profile for the Sonar project the solution is bound to.
If your SonarQube server requires user credentials (i.e. doesn’t allow anonymous access) then the credentials you provide will be stored in the Windows Credential Manager.
Note that the credentials are stored per-user and per-machine, so any other developer who opens the solution will need to provide their own credentials. However, there is a known bug in this area that was reported last week that will affect you if your server does not allow anonymous access: see https://github.com/SonarSource/sonarlint-visualstudio/issues/726 for more information.
Regards,
Duncan