# Storing and Removing Tokens

OAuth Tokens **should be stored securely in the client**. 

* **Mobile apps:** Use [Android Keystore](https://developer.android.com/training/articles/keystore) for Android and [iOS KeyChain](https://developer.apple.com/documentation/security/keychain_services) for iOS apps. 
* **Websites:** Store the `access_token` in memory, the `refresh_token` is automatically included in an `httpOnly` and `Secure` cookie with domain `cotter.app` that is automatically included when requesting to refresh token. [Learn more on how to store JWT tokens securely.](https://dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id)

{% hint style="success" %}
Cotter's SDK generally handles token storage in your app.
{% endhint %}

### SDK Support

Some of our SDKs handles storing the tokens for you:

* **JavaScript** (from npm): [Getting the Logged-in User and OAuth tokens](https://docs.cotter.app/sdk-reference/web/getting-access-token-and-logged-in-user-info)
* **React Native**: [Getting the Logged-in User and OAuth tokens](https://docs.cotter.app/sdk-reference/react-native/getting-stored-oauth-tokens-and-user-information)
* **Flutter**: [Getting the Logged-in User](https://docs.cotter.app/sdk-reference/flutter/getting-the-logged-in-user) and [OAuth tokens](https://docs.cotter.app/sdk-reference/flutter/getting-oauth-tokens)