Online Access Tokens - API Access Token Security

Highlighted
New Member
2 0 0

Hi there,

I am trying to create an application that will need to fetch discounts from stores that sign up. Offline tokens seem optimal as they persist until app deletion, but in case of a security breach, this isn't optimal IMO. Is there a way to make it so that I only store some kind of intermediary token that will be then be used to fetch an online accessToken, which has an expiration date? Has anyone else encountered this use case?

0 Likes
Highlighted
Pathfinder
127 11 20

What stack are you using to build your app? Where do you plan on storing your merchants' access tokens? If you store them in a secure database that only you have access to and make your API calls on the server side, what kind of breach are you anticipating?

0 Likes
Highlighted
New Member
2 0 0

What stack?

Node.js/React

Where do you plan on storing your merchants' access tokens?

It'll be stored in a GCP database, Spanner, more specifically. Ensuring more security on top of that would be preferred. The thought of storing permanent tokens for many merchants is a large responsibility. It's not that I don't trust myself or Google's security layer. I just want to design this with even more security in mind.

0 Likes
Highlighted
Pathfinder
127 11 20

I see. This might be a question better suited for Stack Overflow and generalized about third-party API access tokens. I personally use Firebase and have read/write for my Shopify App's database set only to my secret key, so I believe unless someone were to hack into my Google account and somehow bypass my 2 factor authentication, I consider it fairly safe (I imagine Spanner is similar).

If you do ask it on SO and get responses, please link it here as I'd love to what others have to say. 

0 Likes