You can’t. Any secrets you put into your pages or JavaScript can be read out of the downloaded files by the client.
Instead, you probably want to either:
- Move the secrets into your server-side code and have your server code make requests to external APIs using the secrets, and use WordPress nonces and login cookies to authenticate your client scripts to your server
- If you’re using a third-party service that users can authenticate against directly, set up OAuth or OpenID connect to get your users authenticated against that service. Then, your script can use the tokens returned by that (which are per-user) to request that service.