Thank you for the reply!
Since I am a novice, just to recap, does this mean CLIENT_ID and SESSION_SECRET issued from Auth0 can be exposed to the public without any security concern?
And yes the goal is to build SPA + API architecture 
In this case, is it more plausible to have Auth0 on the Backend side?
When having on SPA, I am also worried the state of login can be changed by accessing chrome dev tool.