Hm. Okay, that’s interesting. Now I’m just confused how this all works 
because if I’m following the examples from Auth0 correctly, the client secret doesn’t need to be in the code at all (implicit grant flow I guess?). Clearly I have more research to do about how this all fits together.
Thanks for the info.