But what about client secret? It is one of the most important parameter to pass in auth code grant. And javascript cant store that as its client side and code is exposed to the world. If possible, please ping me: nutandevjoshi@gmail.com as I dont want the linking of the context we are talking on to go away. I would have a few questions and you have had experience with SPA Oauth system. Thanks