Finch access tokens are “keys” to sensitive information. You should treat access tokens with the same level of security as you would passwords.
Secure storage best practicesStoring tokens securely should be done on the backend (server-side) of your application, not on the frontend (client-side). A frontend application is more susceptible to potential security threats such as Cross-Site Scripting (XSS) attacks or unauthorized access if the client is compromised.
No application is 100% secure, but there are ways to reduce the potential of an exposure (and its impact) by following a few best practices:
- Store tokens on the backend of your application.
- Encrypt the access token before storing it.
- Use environment variables or a secure configuration management system to store static sensitive information that needs to be referenced like
client_secret
. - Never store access tokens in code files or easily accessible directories with human access.
- Ensure that tokens are not exposed in URLs, logs, or error messages.
- Keep all server-side components, libraries, and frameworks up-to-date with security patches to mitigate potential vulnerabilities.
Determine the best method for securely storing access tokens in your application’s backend. Reference the sections below if you need additional help.
EncryptionTo add an extra layer of security, you can encrypt the access token before storing it. Select a strong symmetric encryption algorithm, such as AES-256. Avoid using weak algorithms like DES, as they are susceptible to brute-force attacks due to its small key size (56 bits).
Never expose access tokensEnsure that tokens are not exposed in URLs, log files, or error messages. Regularly review logs for any exposure.
Ensure your frontend application never receives the access token to avoid incidental exposure. Your frontend, client-side application should only receive employment data, never the token itself.
Stay compliant with data privacy regulationsFamiliarize yourself with any applicable data privacy regulations, such as GDPR, CCPA, or other regional laws. Implement necessary measures to stay compliant with these regulations when handling, storing, and processing data obtained from the Finch APIs. This includes obtaining user consent when necessary (handled by Finch Connect), managing data deletion requests, and providing users with the ability to control their data.
Checkpoint + Next StepAfter completing this step, you should know how to store access tokens on the backend server, reduce the impact of their exposure, and comply with any data privacy regulations. When a connection is no longer needed, it is best practice to disconnect the token from Finch then delete it from your system.
Learn more
FAQs
Applications can use dedicated APIs, such as the Web Storage API or IndexedDB, to store tokens. Applications can also simply keep the token in memory or put them in cookies. Some storage mechanisms are persistent, and others are wiped after some period of time or when the page is closed or refreshed.
Where can I store my access token? ›
You can store the access token and refresh token in the server-side session. The application can use web sessions to communicate with the server. The token is then available for any requests originating from server-side code. This is also known as the backend for frontend (BFF) proxy.
How to store OIDC tokens? ›
You can store the tokens wherever you like, but the most common approaches are:
- Store the tokens inside the cookie. If the tokens are large, then this might be a problem because the cookies might get quite big.
- Store the tokens in a cache in memory or in a database and store a "reference" to them in the session cookie.
Where to store access token reddit? ›
You can only store the update token in a cookie with httpOnly, sameSite, etc. set. In one of the sites it was written that it is better to store the access token in in-memory storage, in this case it was a custom hook with ContextProvider.
What is the safest way to store ERC20 tokens? ›
Looking for the safest ERC20 wallet for long-term investors? If so, look no further than Trezor. This established hardware wallet provider offers cold storage solutions - so the private keys are never exposed to the internet. This allows users to keep their ERC20 token investments offline at all times.
Is it safe to save tokens in local storage? ›
On the downside, localStorage is potentially vulnerable to cross-site scripting (XSS) attacks. If an attacker can inject malicious JavaScript into a webpage, they can steal an access token in localStorage. Also, unlike cookies, localStorage doesn't provide secure attributes that you can set to block attacks.
Where should I store access token in front end? ›
There are three common options: local storage, session storage, and cookies. Each one has its pros and cons, but none of them is completely safe from attacks. Local storage and session storage are vulnerable to cross-site scripting (XSS) attacks, where malicious scripts can access and steal your tokens.
Is it safe to store tokens in cookies? ›
Storing JWT (JSON Web Token) in a cookie is considered safer than storing it in session storage or local storage for several reasons: Cookies are less vulnerable to Cross-Site Scripting (XSS) attacks than session storage or local storage.
How do I keep my access token alive? ›
Keeping access tokens fresh and valid
- Use refresh tokens. Refresh tokens can be used by developers to obtain a newly-issed access token. ...
- Implement a separate process to keep tokens fresh. ...
- Avoid race conditions. ...
- Consider using JWT auth.
Should I store ID token? ›
We recommend against storing ID tokens. If you must do so, ensure that you clear the tokens when users log out or delete accounts. In contrast to traditional web apps, single-page applications (SPAs) require client-side API calls to process user interactions.
Whenever a user signs in to an SSO service, the service creates an authentication token that remembers that the user is verified. An authentication token is a piece of digital information stored either in the user's browser or within the SSO service's servers, like a temporary ID card issued to the user.
Should you store tokens in database? ›
The safest approach would be to maintain them in the database. However, the access tokens generated are short-lived (1h). If you use Custom UI extensions and basic scopes and want to have some stateless session, storing access tokens in secure cookies should be fine.
Where should I store my token? ›
Browser in-memory scenarios. Auth0 recommends storing tokens in browser memory as the most secure option.
How to store tokens on server side? ›
BFF stores access token securely: The BFF stores the access token securely on the server side (e.g., in memory or a database) using encryption or hashing. Do not store the access token in plain text. Refresh tokens should be managed carefully due to their security implications.
What is token store? ›
Token Store is a point of sale and order management tool fully integrated with Token POS devices to help small enterprises in their in-store and online operations.
What is the best way to store coins? ›
For high-value coins, use hard plastic holders. Professional coin grading services use sealed holders called slabs to protect authenticated and graded coins. Use acid-free cardboard and plastic holders free from polyvinyl chloride (PVC). Acid and PVC can ruin a coin's surface.
How do I protect my tokens? ›
Token Best Practices
- Keep it secret. ...
- Do not add sensitive data to the payload: Tokens are signed to protect against manipulation and are easily decoded. ...
- Give tokens an expiration: Technically, once a token is signed, it is valid forever—unless the signing key is changed or expiration explicitly set.