Hello @Alex Fang,
You want to interact with the IoT Hub using the service SDK.
So you will provide that client the Azure IoT connection string, probably taken from the iothubowner shared access policy.
This connection string gives full access to the service so you must protect it from falling into the wrong hands.
If you connect with the IoT Hub using browser code, everybody can see the connection string by checking the javascript code downloaded by the browser page.
Please follow the architecture seen in the samples and save yourself from being hacked (like paying for thousands of devices being created, millions of c2d messages being sent or uncontrollable manipulation of IoT Hub routes).
The same goes for eg. databases, storage accounts, and communication platforms. In general, accessing Azure services using a backend service, from a non-user standpoint, is always a wise decision.
If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.