ClientID’s are considered public
Client Secrets are secret
An auth token is also considered secret depending on a few things (if it’s the users own token then it’s safe to show the user their own user token), but since an auth token can expire, it shouldn’t be in your code anyway.
As when the token dies/expires the app can’t be fixed as you hard coded the auth token. (without an app update)