Secrets are generated client-side with the Web Crypto API and never sent to the server.