Isn't the whole point of CLIENT_SECRETS to keep them secret? I understand that once your code is run clientside there is no point in trying to obfuscate anything. However, isn't there a risk in your application being compromised by someone using your credentials or am I missing something here because it seems to be the norm, the google api samples all have hardcoded bits that you plug your tokens and keys into. There is always the option of having a middleman to intercept calls from the client, authenticate and send back the access token but this doesn't seem to deter most people I've seen that just hardcode these anyway. ie: https://github.com/manosim/gitify/blob/master/src/js/utils/constants.js#L3:L4