The documentation of octokit/core.js shows examples of using the module in the browser but doesn't show how the token was acquired or where it is stored. So, I assume the token is readily available in the browser.
If storing tokens in the browser is not secure then is there any use case where accessing GitHub API using a browser is valid?
I couldn't find a way to get the token from octokit. I followed the Github Web app flow - https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps#web-application-flow
What I did was store token in browser as a httpOnly cookie, then pass to my nodejs server to call Github APIs