I'm creating a simple website that interacts with a third-party API requiring user authentication. I've set it up with PKCE and am receiving both an access token and a refresh token. However, I want to keep this authentication live so users won't need to log in repeatedly. From my research, it appears that the only way to securely maintain these tokens is by sending them to a backend and using HttpOnly cookies. Is that the case? I want to be sure because this would be my only reason to create a backend API, which would add extra costs to my project.
4 Answers
Just a heads up, if you're using Dropbox's API, your users should log in on their website and authorize your app before returning to yours. Make sure you're not handling their credentials directly.
Actually, you only need a backend if you plan to refresh tokens before they expire, and if the third-party API can't handle that. If security is a major concern, definitely consider encrypting sensitive tokens.
It seems you can’t fully secure your tokens without a backend API. If you keep refresh tokens in localStorage, they’re at risk from XSS attacks. It’s risky to use them in the frontend without a secure approach.
Yes, to ensure long-term security for your tokens, you really do need a backend. Storing them in localStorage opens up vulnerabilities where an injected script or an XSS error could easily access those tokens.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads