The secret will be visible in dev tools, same like passwords, they are all stored as plain text on the client, but when they are transferred over the network it will use TLS (https) so you dont need to worry about that. In this case a secret will be visible as params, so its always visible. However I would not use secret to secure your API, instead use JWT private key and send the key in the header and have realm verify this key. with yor private key stored with realm.
By the way can you link the video you saw?
I dont work for MONGODB, but i think this might be a way to solve it, i am trying to do it for myself right now as i have our own jwt auth system currently.
let me know how you proceed. or if realm team members has any advice would like them to chime in.
- Why use secret to secure the http urls? they are passed as params and are not a good way to secure your apis
- if we are using our own custom jwt, how can we pass in our jwt in the header and have realm functions check the header, verify, decode and allow or deny access.