Wouldn't anyone be able to inspect the JavaScript, retrieve the secrets and gain access to my backend?

It is safe to include the app secret in client-side code (the same question is valid for native apps). The app secret has minimal privileges and uncovering it does not pose a risk to your data in any way.



For more information, see http://devcenter.kinvey.com/guides/security

Here's another stab at this same answer : http://calendee.com/are-baas-providers-secure/