Hello @reganm,
There is definitely no good way to handle secrets on the client side. This isn’t an Auth0 thing … the client is not under your control and can never be trusted. The old default way to handle SPA authentication was the implicit grant flow, but there is new guidance coming out on that front. The link below should be helpful: