FROM CACHE - en_header

Storing Access Tokens Client Side - safest way to do so?

Liquidator3358
Explorer
43 1 12
‎05-18-2022 03:44 PM

As most of you know, storing accessTokens client side can be a little hairy.  I have always been under the impression that you have three ways to do this - localStorage, in-memory (JS variable) or in a header of a cookie.  All three have their security pitfalls and their tradeoffs.

 

But, seeing as Shopify is a massive SaaS company, I was hoping there was some internal consensus on this.  Maybe there are more security layers in the backend that I am not familiar with and storing anything client side is not that big of deal.  For ease of use, localStorage is the way to go.  I have literally just started diving into the API and the documentation, so forgive me if I have glossed over anything. 

 

So, in short, what do you guys do to store your customerAccessTokens for authentication?

 

 

460 Views
Report
Replies 2 (2)
Jamal_Ali
Shopify Partner
2 0 0
‎06-17-2022 02:51 PM

Hey Liquidator3358, what solution did you come up with for this? I have the exact same issue currently.

352 Views
0 Likes
Report
In response to Jamal_Ali
Liquidator3358
Explorer
43 1 12
‎11-09-2022 10:33 AM

I am proxying all my Shopify API calls from a custom backend so that I can use HTTP cookies and prevent any exposure of my credentials.  This also allows me to manage state safely, and without utilizing any client-side storage.

229 Views
0 Likes
Report
Community Browser
Terms of Service Privacy Policy