Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Storing Access Tokens Client Side - safest way to do so?

Storing Access Tokens Client Side - safest way to do so?

Liquidator3358
Explorer
44 1 17

As most of you know, storing accessTokens client side can be a little hairy.  I have always been under the impression that you have three ways to do this - localStorage, in-memory (JS variable) or in a header of a cookie.  All three have their security pitfalls and their tradeoffs.

 

But, seeing as Shopify is a massive SaaS company, I was hoping there was some internal consensus on this.  Maybe there are more security layers in the backend that I am not familiar with and storing anything client side is not that big of deal.  For ease of use, localStorage is the way to go.  I have literally just started diving into the API and the documentation, so forgive me if I have glossed over anything. 

 

So, in short, what do you guys do to store your customerAccessTokens for authentication?

 

 

Replies 2 (2)

Jamal_Ali
Shopify Partner
2 0 0

Hey Liquidator3358, what solution did you come up with for this? I have the exact same issue currently.

Liquidator3358
Explorer
44 1 17

I am proxying all my Shopify API calls from a custom backend so that I can use HTTP cookies and prevent any exposure of my credentials.  This also allows me to manage state safely, and without utilizing any client-side storage.