This is because Single-Page Applications are public clients and cannot store any secrets. Hence why SPA’s implement PKCE for token exchange. See here for a more detailed explanation.
In this case, if you plan on developing your application with React, then the appropriate SDK to use is the Auth0 React SDK. Similarly, for the other frameworks.
Otherwise, the appropriate SDK to use with your Javascript app is the Auth0 spa-js SDK.
Hoped this helps! Please let me know if you have any questions.