Services
Technology Web App Development Mobile App Development Windows App Development Database Development UI/UX Development Cloud Development SEO Digital Marketing Guest Posting Content Writing Artificial Intelligence Data Science ERP Development CRM Development CMS Development LMS Development Business Listing Blockchain Technology Startup Promotion
Products
Data Converter Cleaner TUC - Unit Converter Import Export Survey Manager Tweet Controller
Developer
Article Blog Forum Interview Beginner News Startup Quiz
Users
Career
Apply Job Internship
Pricing
Login Sign Up Get a Quote

interview

home / developersection / interviews / how do you store tokens securely in a web or mobile app?
Ask Question
Ravi Vishwakarma
Ravi Vishwakarma

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Message

1 Answers

Ravi Vishwakarma
Ravi Vishwakarma 10 Jun 2025
Report Abuse

Storing authentication tokens (like JWTs, OAuth access tokens, refresh tokens, or API keys) securely is crucial to preventing unauthorized access and token theft.

Here’s a breakdown based on platform:

1. Web Apps (Browser-based)

Tokens to Store

  • Access token (short-lived)
  • Refresh token (optional)

Best Practices

Storage Secure? Comments
Memory (JavaScript variable) Yes Safest — not persisted. Use in SPAs. But token lost on refresh.
HttpOnly Cookie Yes Can’t be read by JavaScript (protects from XSS). Needs SameSite, Secure, HttpOnly.
localStorage / sessionStorage NO Vulnerable to XSS attacks. Should be avoided for long-lived tokens.

Recommendation

  • Use HttpOnly secure cookies for session-based tokens (with CORS configured properly).
  • Or store access token in memory only (short-lived).
  • Never store tokens in localStorage unless absolutely necessary and XSS risk is well mitigated.

2. Mobile Apps (iOS, Android, etc.)

Best Practices

Platform Storage API Comments
Android EncryptedSharedPreferences or Android Keystore Keys are encrypted and stored securely.
iOS Keychain Services Secure, encrypted storage for credentials and tokens.
Flutter / React Native Use plugins like flutter_secure_storage, react-native-keychain Wraps native secure storage.

Tips

  • Don’t store access tokens in plain storage or logs.
  • Use short-lived access tokens and refresh tokens with strong rotation policies.
  • Protect against reverse engineering — obfuscate code, don’t hardcode secrets.

3. Desktop Apps (Electron, WPF, etc.)

Framework Secure Storage
Electron OS keychain (via Node.js modules like keytar)
.NET (WPF/WinForms) Windows DPAPI (ProtectedData)

Example in C#:

byte[] encrypted = ProtectedData.Protect(
    Encoding.UTF8.GetBytes(token),
    null,
    DataProtectionScope.CurrentUser);

Bonus: Refresh Token Strategy

For SPAs or mobile apps:

  • Store access token in memory
  • Store refresh token securely (cookie or secure storage)
  • Rotate access token frequently
  • On expiration, send refresh token to renew access token

What Not to Do

  • Don’t store tokens in localStorage or sessionStorage if you care about XSS protection.
  • Don’t hardcode API keys or secrets in frontend JavaScript or mobile app binaries.
  • Don’t store tokens in plain files or logs.

Summary

Platform Best Storage
Web SPA Memory (access), HttpOnly cookie (refresh)
Web (traditional) HttpOnly secure cookie
Android EncryptedSharedPreferences or Keystore
iOS Keychain
Desktop DPAPI / Keytar
MindStick Training