You can localize your script and pass the nonce and ajax url to the script.
Learn more about script localization.
function wpse_206839() {
// Register our script just like we would enqueue it - for WordPress references
wp_register_script( 'my-special-script', 'directory/my-special-script.js', array( 'jquery' ), false, true );
// Create any data in PHP that we may need to use in our JS file
$local_arr = array(
'ajaxurl' => admin_url( 'admin-ajax.php' ),
'security' => wp_create_nonce( 'my-special-string' )
);
// Assign that data to our script as an JS object
wp_localize_script( 'my-special-script', 'specialObj', $local_arr );
// Enqueue our script
wp_enqueue_script( 'my-special-script' );
}
add_action( 'wp_enqueue_scripts', 'wpse_206839' );
This will allow us to access our nonce in JS as console.log( specialObj.security );