Why this matters
The production reason.
Read private tokens only in server components, route handlers, or server actions. This matters because small implementation habits compound across every page, component, and handoff in a production codebase.
Use the pattern where the behavior is owned, keep the API small, and make the result easy for another developer to verify later.
The goal is not clever code. The goal is predictable code that survives new content, new teammates, and real user traffic.
// Keep secrets in server code
// Apply this pattern in the smallest file that owns the behavior.
const beforeShipping = [
"Name the intent clearly",
"Handle the empty or error state",
"Keep the change easy to test",
];