Should the Auth token and/or client ID be secret?

Sure a client id is considered public, since it’s used in the URL that you redirect users to Twitch to auth with