People often store client secrets in .env and config files and generally you don’t expose these in client facing code.
As for tokens, they are basically passwords so handle them the same way you handle user passwords if your website/tool has a login form.