What is the best way to pass access_token to client after authentication?

We're able to get the access token after the Kite session POST API.

Our question is that if we don't pass the access_token to the user's client as per the warning stated in the docs which says that

Never expose your api_secret by embedding it in a mobile app or a client side application. Do not expose the access_token you obtain for a session to the public either.
then how will the user's client be able to send API requests to us?
  • sujith
    If it is a client application then don't write access token to a file. You need to use secure storage or app preferences.
    If it is a client application made for mass then don't hard code api_secret. Do your auth stuff on the backend application.
  • xameeramir
    @sujith It's basically a web app - I'm storing the access token in a localStorage key which is extremely vulnerable.

    Another option is storing access token in a cookie which is also vulnerable. Can't make the right decision
Sign In or Register to comment.