OAuth Tokens should be stored securely in the client.

• Mobile apps: Use Android Keystore for Android and iOS KeyChain for iOS apps.

• Websites: Store the access_token in memory, the refresh_token is automatically included in an httpOnly and Secure cookie with domain cotter.app that is automatically included when requesting to refresh token. Learn more on how to store JWT tokens securely.

SDK Support

Some of our SDKs handles storing the tokens for you:

• JavaScript (from npm): Getting the Logged-in User and OAuth tokens

• React Native: Getting the Logged-in User and OAuth tokens

• Flutter: Getting the Logged-in User and OAuth tokens