What is the best way to pass access_token to client after authentication?

xameeramir
xameeramir in API clients
We're able to get the access token after the Kite session POST API.

Our question is that if we don't pass the access_token to the user's client as per the warning stated in the docs which says that
Warning

Never expose your api_secret by embedding it in a mobile app or a client side application. Do not expose the access_token you obtain for a session to the public either.
then how will the user's client be able to send API requests to us?
Tagged:
  • sujith
    sujith
    If it is a client application then don't write access token to a file. You need to use secure storage or app preferences.
    If it is a client application made for mass then don't hard code api_secret. Do your auth stuff on the backend application.
  • xameeramir
    xameeramir
    @sujith It's basically a web app - I'm storing the access token in a localStorage key which is extremely vulnerable.

    Another option is storing access token in a cookie which is also vulnerable. Can't make the right decision
Sign In or Register to comment.