I am using Auth0 for one of my SPA projects and use auth0 js library. While debugging I found that , when a request is made to Auth0 by calling LoginwithRedirect, I can see all the secret values like ClientID, Secret, domain etc as part of Request header , they are plain text values and not encoded. It’s a big security risk as what if any rouge user finds this info ? what can we do to decode/hide those values?
Client ID and domain are not secrets. You should expect any user that is using your app to have access to client ID and domain. This is because of the magic of the auth code + PKCE flow
Client secret should not be used in a SPA, but it doesn’t look like it is in the request you posted. You should be good here.