Join us for an upcoming Shopify Partner webinar on February 27, 2024. Discover the latest Checkout Extensibility features, and deep dive on improvements to Shopify Functions and Web Pixels. Register now for either the 10am EST or 2pm EST sessions.

Storing Access Tokens Client Side - safest way to do so?

Liquidator3358
Explorer
44 1 15

As most of you know, storing accessTokens client side can be a little hairy.  I have always been under the impression that you have three ways to do this - localStorage, in-memory (JS variable) or in a header of a cookie.  All three have their security pitfalls and their tradeoffs.

 

But, seeing as Shopify is a massive SaaS company, I was hoping there was some internal consensus on this.  Maybe there are more security layers in the backend that I am not familiar with and storing anything client side is not that big of deal.  For ease of use, localStorage is the way to go.  I have literally just started diving into the API and the documentation, so forgive me if I have glossed over anything. 

 

So, in short, what do you guys do to store your customerAccessTokens for authentication?

 

 

Replies 2 (2)

Jamal_Ali
Shopify Partner
2 0 0

Hey Liquidator3358, what solution did you come up with for this? I have the exact same issue currently.

Liquidator3358
Explorer
44 1 15

I am proxying all my Shopify API calls from a custom backend so that I can use HTTP cookies and prevent any exposure of my credentials.  This also allows me to manage state safely, and without utilizing any client-side storage.