Should the Auth token and/or client ID be secret?