OAuth is designed to keep secrets confidential during authentication and authorization. However, there are additional best practices that you can takes to improve the security of your app.
API tokens and client secrets must be kept confidential and not submitted to public source control or exposed in user-accessible code.
A Proof Key for Code Exchange (PKCE) is required for mobile, desktop, and single-page apps as part of the OAuth 2.0 authorization code flow. Visit the OAuth documentation for information about using PKCE in authorization requests.