Auth0 Home Blog Docs

Allow only specific clients to call API rest service


I have SPA calling REST API - i have the client id and the client secret but those can get exposed. how can i verify that a client is only my SPA and not other client that knows my secret key and client id ?
what is the best practice to store the secret key in SPA - client running on browser without server side


A SPA cannot safely call a rest API, except on behalf of the user (i.e. the typical access token you get from an /authorize request where the user consents that the application will access the API on behalf of the user).