Working on a project. I have a laravel folder which is the backend API and another folder with a VueJs app.
Usually I would use JWT for auth and may still go back there but wanted to try and use as much of the laravel official packages as possible.
My problem is when looking at online tutorials online they all seem to store the client secret key from laravel passport in the JS. Which would mean if someone did inspect the app.js file it could be seen. I know cors can restrict where the request can be accepted from but just doesn't seem right to have the client secret key store where the public can access it.
Where is the best place to store the client secret key etc? Is there something part of the laravel passport package I am missing when reading the docs?