Is it dangerous to put my client_id in public js file using lock v11?

I am using this code for initialize my auth0 object in my login.html page

// Initializing our Auth0Lock
var lock = new Auth0Lock(
auth: {
params: {
etc… etc…
responseType: ‘code’,
is it dangerous to put this information in public access?

thank you in advance!

Hello @soporte.desarrollo,

Welcome to the Community! I would not openly publicise a client ID like that, at least not for a “real” service, but Client IDs should be treated as public information similar to a “username”. They are not a secret, but I wouldn’t leave them where they can be easily picked up.


Thank you for the fast response markd, so where would be a good place to save this client id ? taking into account that i need to use it for initialize my js script in html, thanks!!

I’m not a developer, but I believe the usual answer is to store the client ID and client secret as environment variables, however that is done for whichever stack you are using. For my python scripts I use a .env file. There are also more advanced secrets management options like Hashicorp, though I don’t have any experience with those.

Ok thank you!

It’s just that in a python script you can use environment variables right? But in a javascript file that is executed in the client’s browser, i cannot do anything to hide the client_id, it’s like that info it’s supposed to be in a public script as explained in the auth0 API, no?

Please correct me if am wrong, thanks!

Can you share the link with us that you are using as a reference?

Yeah of course i used this:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.