Auth0 ClientID visible in chrome dev tools request header

maulik.khandwala · August 31, 2020, 1:38am

Hi there,

I am using Auth0 for one of my SPA projects and use auth0 js library. While debugging I found that , when a request is made to Auth0 by calling LoginwithRedirect, I can see all the secret values like ClientID, Secret, domain etc as part of Request header , they are plain text values and not encoded. It’s a big security risk as what if any rouge user finds this info ? what can we do to decode/hide those values?

See below image for more info. This is not good

thanks,
Maulik

dan.woda · August 31, 2020, 8:47pm

Hi @maulik.khandwala,

Client ID and domain are not secrets. You should expect any user that is using your app to have access to client ID and domain. This is because of the magic of the auth code + PKCE flow

Client secret should not be used in a SPA, but it doesn’t look like it is in the request you posted. You should be good here.

just fyi encoded ≠ encrypted

Everything here looks good to me, let us know if you have any other questions!

Topic		Replies	Views
I have an unknown client ID making api request to my auth0 audience JWT.io	4	2388	April 19, 2023
Universal Login - Login Form - Plain Text Credentials Get Help login-experience , new-universal-login-experience	4	82	October 29, 2025
Auth0 Application Client Secret Get Help auth0-react , sdks-quickstarts	2	205	August 30, 2024
Are application keys (domain and cliendID) supposed to be kept secret? Get Help auth0	3	3385	March 30, 2020
Safe management of Auth0 information in source control Get Help api , spa	4	5316	August 28, 2019

Auth0 ClientID visible in chrome dev tools request header

Related topics