@dtl,
Welcome to the Auth0 Community Forum!
There is not really any solution for this. Due to the nature of public clients, any global API key or secret that is sent with the application is inspectable by any user who can access the SPA. They can get the key/secret and use the API like they were the SPA. You can obfuscate it to make it more difficult for an average user, but a public client with no unique credential (like a username/password) is going to be able to be inspected.
Do you have a specific concern about securing information in an API that is freely available via a SPA?