How to store an access token securely?¶

When you got access_token from Authorization Server it’s very important to store it in a securely way for safety reasons. Access token is sensitive information, if an attacker stoles it he will be able to perform all actions on behalf of his victim.

Firstly if you want to store this token in a cookie, you must set parameter HttpOnly. It causes the cookie won’t be readable from JavaScript. We recommend also to set cookie as Secure to allow transport it only on https connection.

For safety reason we recommend to introduce additional encryption before store the token in the cookie and decrypting it before sending to our API for exchange for user data.