As most of you know, storing accessTokens client side can be a little hairy. I have always been under the impression that you have three ways to do this - localStorage, in-memory (JS variable) or in a header of a cookie. All three have their security pitfalls and their tradeoffs.
But, seeing as Shopify is a massive SaaS company, I was hoping there was some internal consensus on this. Maybe there are more security layers in the backend that I am not familiar with and storing anything client side is not that big of deal. For ease of use, localStorage is the way to go. I have literally just started diving into the API and the documentation, so forgive me if I have glossed over anything.
So, in short, what do you guys do to store your customerAccessTokens for authentication?
I am proxying all my Shopify API calls from a custom backend so that I can use HTTP cookies and prevent any exposure of my credentials. This also allows me to manage state safely, and without utilizing any client-side storage.