I am trying to create an application that will need to fetch discounts from stores that sign up. Offline tokens seem optimal as they persist until app deletion, but in case of a security breach, this isn't optimal IMO. Is there a way to make it so that I only store some kind of intermediary token that will be then be used to fetch an online accessToken, which has an expiration date? Has anyone else encountered this use case?
Where do you plan on storing your merchants' access tokens?
It'll be stored in a GCP database, Spanner, more specifically. Ensuring more security on top of that would be preferred. The thought of storing permanent tokens for many merchants is a large responsibility. It's not that I don't trust myself or Google's security layer. I just want to design this with even more security in mind.
I see. This might be a question better suited for Stack Overflow and generalized about third-party API access tokens. I personally use Firebase and have read/write for my Shopify App's database set only to my secret key, so I believe unless someone were to hack into my Google account and somehow bypass my 2 factor authentication, I consider it fairly safe (I imagine Spanner is similar).
If you do ask it on SO and get responses, please link it here as I'd love to what others have to say.