Hi, @dan.woda ! Thank you for welcoming! 
Where are you seeing sensitive credentials exposed on the client?
This part was not specifically mentioned from the doc but according to, this post from Stackoverflow and was concerned it might not be a good idea to have API key included on the frontend.
Also, thank you for the document but I think I have already implemented other parts but encountered a problem. Because of above issue(hiding key on Backend), I have also added .env with Secret key and all that in my backend. As this is my first time implementing Auth, is it normal when user press ‘login’ button, it fires request to my server like below?
React Client: localhost:3000
<Button onClick={() => axios.get("http://localhost:4041/loginuser")}/>
NodeJS + Express Server: localhost:4041
app.get("/loginuser", (req: Request, res: Response) => {
res.oidc.login({
authorizationParams: {
screen_hint: 'signup'
}
})
});
However, when this is triggered, I get this error from the client-side
Is this flow good to be implemented? Any advice on how to implement would be awesome. I looked through posts and it seems like Auth0 is not allowing 302 redirect to the client. And I am not so confident this is the way to implement one.
Oh and for the information, I have already added both localhost:3000 and localhost:4041 in the dashboard settings.
Any advice on this would be appreciated!
Thank you so much!