Client-side Javascript auth?

[valpackett]

auth.md:

If you're building a client-side Javascript app or a mobile app that doesn't have an associated back-end server, you'll find that you need to take some special steps to keep your client_secret confidential.

How can I keep my client_secret confidential if I want to build a 100%-browser JavaScript app?
How is the secret used? I don't see it in the URL examples of the client-side flow.

[mattflaschen]

This text could be clearer. But the bottom line is, the secret is not used in the client-side flow. I've used this flow in my own 100% browser app (App Passant) and it works fine.

[valpackett]

That's the issue… This line of documentation is confusing