Hey @kkrp1 !
Great question! It depends on which algorithm you’re using to sign tokens (you can check in your application settings → advanced → oauth tab as well as in your API settings)- Typically this will be RS256 which is asymmetric, won’t include using a secret, and is generally considered more secure. HS256 is symmetric and requires a secret. Some further resources on this topic:
https://community.auth0.com/t/rs256-vs-hs256-jwt-signing-algorithms/58609
Hope this helps to clarify!