interview

home / developersection / interviews / how do you store tokens securely in a web or mobile app?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

10-Jun-2025

Storing authentication tokens (like JWTs, OAuth access tokens, refresh tokens, or API keys) securely is crucial to preventing unauthorized access and token theft.

Here’s a breakdown based on platform:

1. Web Apps (Browser-based)

Tokens to Store

  • Access token (short-lived)
  • Refresh token (optional)

Best Practices

Storage Secure? Comments
Memory (JavaScript variable) Yes Safest — not persisted. Use in SPAs. But token lost on refresh.
HttpOnly Cookie Yes Can’t be read by JavaScript (protects from XSS). Needs SameSite, Secure, HttpOnly.
localStorage / sessionStorage NO Vulnerable to XSS attacks. Should be avoided for long-lived tokens.

Recommendation

  • Use HttpOnly secure cookies for session-based tokens (with CORS configured properly).
  • Or store access token in memory only (short-lived).
  • Never store tokens in localStorage unless absolutely necessary and XSS risk is well mitigated.

2. Mobile Apps (iOS, Android, etc.)

Best Practices

Platform Storage API Comments
Android EncryptedSharedPreferences or Android Keystore Keys are encrypted and stored securely.
iOS Keychain Services Secure, encrypted storage for credentials and tokens.
Flutter / React Native Use plugins like flutter_secure_storage, react-native-keychain Wraps native secure storage.

Tips

  • Don’t store access tokens in plain storage or logs.
  • Use short-lived access tokens and refresh tokens with strong rotation policies.
  • Protect against reverse engineering — obfuscate code, don’t hardcode secrets.

3. Desktop Apps (Electron, WPF, etc.)

Framework Secure Storage
Electron OS keychain (via Node.js modules like keytar)
.NET (WPF/WinForms) Windows DPAPI (ProtectedData)

Example in C#:

byte[] encrypted = ProtectedData.Protect(
    Encoding.UTF8.GetBytes(token),
    null,
    DataProtectionScope.CurrentUser);

Bonus: Refresh Token Strategy

For SPAs or mobile apps:

  • Store access token in memory
  • Store refresh token securely (cookie or secure storage)
  • Rotate access token frequently
  • On expiration, send refresh token to renew access token

What Not to Do

  • Don’t store tokens in localStorage or sessionStorage if you care about XSS protection.
  • Don’t hardcode API keys or secrets in frontend JavaScript or mobile app binaries.
  • Don’t store tokens in plain files or logs.

Summary

Platform Best Storage
Web SPA Memory (access), HttpOnly cookie (refresh)
Web (traditional) HttpOnly secure cookie
Android EncryptedSharedPreferences or Keystore
iOS Keychain
Desktop DPAPI / Keytar
advertising
advertising

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy