client.request() using secure parameter in manifest.json

Hello Experts,

I am developing a Zendesk sidebar app to interact with my Paypal account. Following are the steps I am following

1) Created a Zendesk sidebar app

2) Call the Paypal API to fetch the access token using client_id and client_secret

3) Use Paypal rest APIs to do further business logic implementation

The requirement here is that I want my client_secret to be secure and not accessible to anyone. So what I did is created a "client_id:client_secret" string. Encoded it using btoa manually and stored the resulting string as a secure parameter in the manifest.json

Now when I try to access the secure parameter, I am getting an error. Following is my code snippet

const oAuthResponse = await client.request({
        url: "https://api-m.paypal.com/v1/oauth2/token",
        headers: { "Authorization": "Basic {{setting.client_secret}}" },
        secure: true,
        type: 'POST',
        contentType: 'application/json',
        data: JSON.stringify({ 'grant_type': 'client_credentials'})
      }
    ).then(function(data) {
        console.log(data);
        return data;
    });

It gives me the following error.

responseText: "Proxy error: Invalid request"
status: 400

 Is there something I am doing incorrectly ?