Storing and Encrypting OAuth tokens

hlim96 · February 22, 2023, 6:13am

Hello,

My team and I are looking for a way to store and encrypt OAuth access tokens after fetching them from the sellers. While reading through the OAuth documents, we weren’t exactly sure about the following warning.

“Never store your credentials or access tokens in your version control system.”

What does “version control system” mean here? Does it literally refer to VCS like GitHub? One of our plans to handle the tokens was to encrypt and store them in our backend system and not push it to our repository - would this plan work, or should we move on to a different one?

Also, I was curious how other application developers encrypted their tokens. Would there be any tips or recommendations for it?

Thank you, and have a great day!

Bryan-Square · February 22, 2023, 7:01pm

Yes, the version control system is a GitHub like repository system. OAuth access tokens and refresh tokens should be stored encrypted in a secure database or keychain. Your application should use a strong encryption standard such as AES. The production encryption keys should not be accessible to database administrators, business analysts, developers, or anyone who does not need them. The tokens that these keys protect can be used to perform actions on behalf of the seller and should be guarded appropriately. The encryption keys should not be stored in source control and should only be accessible by server administrators…

Topic		Replies	Views
Multiple oAuth access and refresh tokens for single app on multiple machines Questions oauth-api	13	5347	May 5, 2022
Web payments SDK - where do i store the access token? Questions web-payments-sdk	1	1028	December 6, 2021
401 Unauthorized on /oauth2/token Questions oauth-api	2	5476	August 23, 2022
oAuth Access Token retries Questions	0	465	June 1, 2021
OAuth now supports PKCE Announcements oauth-api	8	2664	December 14, 2022

Storing and Encrypting OAuth tokens

Related topics