Auth0 Home Blog Docs

Is it safe to expose client_id, client_secret, and audience on HTML pages?

jquery
spa
security

#1

In the page to obtain a JWT, the jQuery code snippet looks like this:

var settings = {
  "async": true,
  "crossDomain": true,
  "url": "https://xyz.auth0.com/oauth/token",
  "method": "POST",
  "headers": {
    "content-type": "application/json"
  },
  "data": "{\"client_id\":\"...\",\"client_secret\":\"...\",\"audience\":\"...\",\"grant_type\":\"client_credentials\"}"
}

$.ajax(settings).done(function (response) {
  console.log(response);
});

Is it safe to expose client_id, client_secret, and audience on the HTML page(s) of production applications?


Static pages, AWS API Gateway, Custom Authorizers and JWT tokens: how?
#2

client_id: yes. client_secret, absolutely not. We encode tokens with that secret, so, anyone having this secret can emit tokens that your application will think it’s safe.

Also, from a web page, you shouldn’t be calling the oauth/token endpoint. Please follow our jquery quick starts: https://auth0.com/docs/quickstart/spa/jquery/01-login


#4

Luis,

What about the unique audience ID? Is it safe to be exposed?

Screenshot%20from%202018-07-06%2021-34-14


#5

Yeah, that’s fine. You’ll probably expose the url by making request to it anyway.