client_id is totally visible in the bundle.js

[j2l]

Simply visit http://localhost:5000/build/bundle.js and search for client_id

[dopry]

Yes, that is how it works. Here are some resources you can use to educate yourself about OAuth/OIDC and security related to what is exposed to the browser in different authorization flows.

https://openid.net/specs/openid-connect-core-1_0.html https://datatracker.ietf.org/doc/html/rfc7636 https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce https://auth0.com/docs/authorization/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce

[j2l]

I was not mean but hey, you can use the auth0 svelte code and tutorial to educate yourself. It does the same stuff without the need for additional packages. I frankly hoped that yours was doing it differently.

[dopry]

The client_id is not a secret. There is no need to hide or obfuscate it in an spa.