Is it safe to expose client_id, client_secret, and audience on HTML pages?

Brng · May 27, 2018, 4:19am

In the page to obtain a JWT, the jQuery code snippet looks like this:

var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://xyz.auth0.com/oauth/token",
  "method": "POST",
  "headers": {
    "content-type": "application/json"
  },
  "data": "{\"client_id\":\"...\",\"client_secret\":\"...\",\"audience\":\"...\",\"grant_type\":\"client_credentials\"}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});

Is it safe to expose client_id, client_secret, and audience on the HTML page(s) of production applications?

luis.rudge · May 27, 2018, 7:33am

client_id: yes. client_secret, absolutely not. We encode tokens with that secret, so, anyone having this secret can emit tokens that your application will think it’s safe.

Also, from a web page, you shouldn’t be calling the oauth/token endpoint. Please follow our jquery quick starts: https://auth0.com/docs/quickstart/spa/jquery/01-login

Brng · July 6, 2018, 11:34am

Luis,

What about the unique audience ID? Is it safe to be exposed?

Screenshot%20from%202018-07-06%2021-34-14

luis.rudge · July 6, 2018, 2:22pm

Yeah, that’s fine. You’ll probably expose the url by making request to it anyway.

Topic		Replies	Views
Static pages, AWS API Gateway, Custom Authorizers and JWT tokens: how? Help jwt , aws , lambda , api-gateway	3	6585	December 17, 2018
Auth0 ClientID visible in chrome dev tools request header Help jwt , auth0js	2	4230	September 15, 2020
Safe management of Auth0 information in source control Help api , spa	4	5052	August 28, 2019
[SPA + API] Can NOT Get Audience Correct Help jwt , auth0 , api , spa , audience	4	5074	February 9, 2019
Jwt audience invalid - It's client_id instead of the real audience Help	3	14992	August 29, 2019

Is it safe to expose client_id, client_secret, and audience on HTML pages?

Related topics