Great question! It depends on which algorithm you’re using to sign tokens (you can check in your application settings → advanced → oauth tab as well as in your API settings)- Typically this will be RS256 which is asymmetric, won’t include using a secret, and is generally considered more secure. HS256 is symmetric and requires a secret. Some further resources on this topic: