Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to store JWT and Refresh Tokens in a app or a browser?

I build a Rest-API which handle request by using JWT and refresh token. But i am not sure how to store it on client side.

Should I store both it in cookies with httponly flag?

Should i store both in cookies or one in local storage for example shared preference(Android App)?

I am very interested in what is the best practice to handle these token on client side?

like image 445
Kapin Avatar asked Oct 15 '25 05:10

Kapin


1 Answers

Standard recommendations:

  • In a mobile UI store tokens in OS secure storage
  • In a Web UI store the access token in memory
  • In a Web UI refresh tokens in cookies work best

It requires a lot of discipline to do properly. My blog has posts and code samples you can run to understand this stuff. Maybe start here:

  • Browser Token Security
  • Android Code Sample
like image 90
Gary Archer Avatar answered Oct 17 '25 20:10

Gary Archer