the client secret in the avery config should not be plain text

[simonrainerson]

Oath recommends hashing or encrypting it so it's not stored in plain text in the config.

https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

[abbec]

But then we would need the seed or key to be in the code instead. This is a common problem in mobile and native apps and does not really have a solution.