Storing and Removing Tokens

OAuth Tokens should be stored securely in the device. Use Android Keystore for Android and iOS KeyChain for iOS apps.

Cotter's SDK generally handles token storage in your app.

React Native
Other SDKs (coming soon)
React Native

✅ Cotter's React Native SDK automatically store your tokens securely inside the device's secure storage.

Getting tokens from the Storage

You should pass the access_token on every API call to your backend server whenever necessary. You can use the id_token to read information about your user. To get the access_token and id_token from the secure storage:

const getAccessToken = async () => {
try {
var accessToken = await cotter.tokenHandler.getAccessToken();
console.log('Access Token', accessToken);
} catch (err) {
console.log('Access Token Error', err);
const getIDToken = async () => {
try {
var idToken = await cotter.tokenHandler.getIDToken();
console.log('ID Token', idToken);
} catch (err) {
console.log('ID Token Error', err);

The returned accessToken and idToken will contain the JWT token string, as well as the decoded payload of the token:

Access Token
// 👇Decoded Access Token Payload
"payload": {
"aud": "e8f34b64-52d0-4c78-b9a9-012bcdac65d3",
"authentication_method": "TRUSTED_DEVICE",
"client_user_id": "1223",
"exp": 1586238412,
"iat": 1586234812,
"iss": "",
"scope": "access",
"sub": "USER:e09efb1b-e50f-41fd-8530-88ffbcd80f59",
"type": "client_access_token"
// 👇Access Token String
// Pass this to your server on the http request header
// Authorization: Bearer <access_token>
"token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfdXNlcl9pZCI6IjEyMjMiLCJhdXRoZW50aWNhdGlvbl9tZXRob2QiOiJUUlVTVEVEX0RFVklDRSIsInR5cGUiOiJjbGllbnRfYWNjZXNzX3Rva2VuIiwic2NvcGUiOiJhY2Nlc3MiLCJhdWQiOiJlOGYzNGI2NC01MmQwLTRjNzgtYjlhOS0wMTJiY2RhYzY1ZDMiLCJleHAiOjE1ODYyMzg0MTIsImlhdCI6MTU4NjIzNDgxMiwiaXNzIjoiaHR0cHM6Ly93d3cuY290dGVyLmFwcCIsInN1YiI6IlVTRVI6ZTA5ZWZiMWItZTUwZi00MWZkLTg1MzAtODhmZmJjZDgwZjU5In0.qnY-iCpRxIyI03IPA7CHbB8JXeCNqGbM5F-mWQdAXGLlSriOH2pmmme-BoHup8i_Mgxtk48TKTW4HjL8WoZHPw"

Refreshing Tokens

Since Access Tokens and ID Tokens expires in 1 hour, Cotter's SDK automatically refresh the tokens whenever the access_token or id_token expires and there is a valid refresh_token present. This refresh happens when you call cotter.tokenHandler.getAccessToken()

The refresh_token expires every 30 days, so you would need to re-authenticate users when the refresh_token expires. If you're using Trusted Devices and the current device is a trusted device, re-authentication can be done silently by calling cotter.trustedDevice.requestAuth

Removing tokens from the Storage (Log Out)

To logout your users, you should remove all tokens from the storage. To do that:

const logOut = () => {
Other SDKs (coming soon)

We'll add support for JS, Android and iOS soon 😉. Stay tuned!