Auth0 doesn’t issue API keys at all, and yes, absolutely don’t store API keys or any secrets in your client-side apps!
We use OAuth2 flows that don’t require secrets in order to authenticate users from client-side applications. You don’t necessarily need to know how these flows work to use Auth0, but if you’re interested check out Authorization Code Flow with Proof Key for Code Exchange (PKCE). This flow allows you to authenticate users in a single page app without having to store a secret.
If you use our React SDK, most of the heavy lifting is done for you, and all you have to do is plug in some client info.
Is your goal a SPA + API architecture?