Storing Access Tokens Client Side - safest way to do so?

Liquidator3358
Explorer
44 1 15

As most of you know, storing accessTokens client side can be a little hairy.  I have always been under the impression that you have three ways to do this - localStorage, in-memory (JS variable) or in a header of a cookie.  All three have their security pitfalls and their tradeoffs.

 

But, seeing as Shopify is a massive SaaS company, I was hoping there was some internal consensus on this.  Maybe there are more security layers in the backend that I am not familiar with and storing anything client side is not that big of deal.  For ease of use, localStorage is the way to go.  I have literally just started diving into the API and the documentation, so forgive me if I have glossed over anything. 

 

So, in short, what do you guys do to store your customerAccessTokens for authentication?

 

 

Replies 2 (2)

Jamal_Ali
Shopify Partner
2 0 0

Hey Liquidator3358, what solution did you come up with for this? I have the exact same issue currently.

Liquidator3358
Explorer
44 1 15

I am proxying all my Shopify API calls from a custom backend so that I can use HTTP cookies and prevent any exposure of my credentials.  This also allows me to manage state safely, and without utilizing any client-side storage.