FROM CACHE - en_header
Promotion image
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Storing Access Tokens Client Side - safest way to do so?

Storing Access Tokens Client Side - safest way to do so?

Liquidator3358
Explorer
44 1 17
‎05-18-2022 03:44 PM

As most of you know, storing accessTokens client side can be a little hairy.  I have always been under the impression that you have three ways to do this - localStorage, in-memory (JS variable) or in a header of a cookie.  All three have their security pitfalls and their tradeoffs.

 

But, seeing as Shopify is a massive SaaS company, I was hoping there was some internal consensus on this.  Maybe there are more security layers in the backend that I am not familiar with and storing anything client side is not that big of deal.  For ease of use, localStorage is the way to go.  I have literally just started diving into the API and the documentation, so forgive me if I have glossed over anything. 

 

So, in short, what do you guys do to store your customerAccessTokens for authentication?

 

 

1,023 Views
1 Like
Report
Replies 2 (2)

Jamal_Ali
Shopify Partner
2 0 0
‎06-17-2022 02:51 PM

Hey Liquidator3358, what solution did you come up with for this? I have the exact same issue currently.

915 Views
0 Likes
Report
In response to Jamal_Ali

Liquidator3358
Explorer
44 1 17
‎11-09-2022 10:33 AM

I am proxying all my Shopify API calls from a custom backend so that I can use HTTP cookies and prevent any exposure of my credentials.  This also allows me to manage state safely, and without utilizing any client-side storage.

792 Views
0 Likes
Report
Terms of Service Privacy Policy