Where to Store Tokens

Not sure where to store tokens? This guide outlines how to securely store tokens used in token-based authentication.

Regular web apps

ID Tokens, Access Tokens, and (optional) Refresh Tokens should be handled server-side in typical web applications. The application server use the tokens to call APIs on behalf of the user.

Native/mobile apps

Single-page apps

Don't store tokens in local storage

Browser local storage (or session storage) is not a secure place to store sensitive information. Any data stored there:

If an attacker steals a token, they can gain access to and make requests to your API. Treat tokens like credit card numbers or passwords: don’t store them in local storage.

If a backend is present

If your single-page app has a backend server at all, then tokens should be handled server-side using the Authorization Code Flow, Authorization Code Flow with Proof Key for Code Exchange (PKCE), or Hybrid Flow.

If no backend is present

If you have a single-page app (SPA) with no corresponding backend server, your SPA should request new tokens on login and store them in memory without any persistence. To make API calls, your SPA would then use the in-memory copy of the token.