Auth0 ClientID visible in chrome dev tools request header

Hi there,

I am using Auth0 for one of my SPA projects and use auth0 js library. While debugging I found that , when a request is made to Auth0 by calling LoginwithRedirect, I can see all the secret values like ClientID, Secret, domain etc as part of Request header , they are plain text values and not encoded. It’s a big security risk as what if any rouge user finds this info ? what can we do to decode/hide those values?

See below image for more info. This is not good :open_mouth:

thanks,
Maulik

Hi @maulik.khandwala,

Client ID and domain are not secrets. You should expect any user that is using your app to have access to client ID and domain. This is because of the magic of the auth code + PKCE flow

Client secret should not be used in a SPA, but it doesn’t look like it is in the request you posted. You should be good here.

just fyi encoded ≠ encrypted :smile:

Everything here looks good to me, let us know if you have any other questions!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.