In the page to obtain a JWT, the jQuery code snippet looks like this: var settings = { "async": true, "crossDomain": true, "url": "https://xyz.auth0.com/oauth/token", "method": "POST", "headers": { "content-type": "application/json" }, "data": "{\"client_id\":\"...\",\"client_secr…

client_id: yes. client_secret, absolutely not. We encode tokens with that secret, so, anyone having this secret can emit tokens that your application will think it’s safe. Also, from a web page, you shouldn’t be calling the oauth/token endpoint. Please follow our jquery quick starts: https://auth0.…

Is it safe to expose client_id, client_secret, and audience on HTML pages?

Get Help

Topic		Replies	Views
Static pages, AWS API Gateway, Custom Authorizers and JWT tokens: how? Get Help jwt , aws , lambda , api-gateway	3	6596	December 17, 2018
Auth0 ClientID visible in chrome dev tools request header Get Help jwt , auth0js	2	4334	September 15, 2020
Safe management of Auth0 information in source control Get Help api , spa	4	5149	August 28, 2019
[SPA + API] Can NOT Get Audience Correct Get Help jwt , auth0 , api , spa , audience	4	5124	February 9, 2019
Jwt audience invalid - It's client_id instead of the real audience Get Help	3	15308	August 29, 2019

Is it safe to expose client_id, client_secret, and audience on HTML pages?

Related topics