generally speaking you should never reveal your secret to another
if you are having someone else help then they can generate their own clientID and secret.
Or you can give them your token to test with I guess
In this example it’s probably fine as they are on your team to help build the thing. But they can easily get their own client ID and ask you to authenticate against their clientID.