Shared secrets gives you something durable that clients can quietly exfiltrate to spy on users later. Not a good idea IMO, but others disagree