On first load the app auto-provisions a fresh, isolated sandbox. The client secret is held server-side (the BFF); your browser never sees a credential.