Client ID is not a secret. You can share this value in your client application.
You’ll notice we do not pass a client secret (I’m assuming this is what you mean by SESSION_SECRET) when we create a Single Page React App.
This is why we use Signed JWT Tokens, these tokens cannot be tampered with without invalidating the signature. This allows the resource server (API) to be confident that the request from the client is legitimate, and the user’s permissions are accurate.