Storing and Encrypting OAuth tokens


My team and I are looking for a way to store and encrypt OAuth access tokens after fetching them from the sellers. While reading through the OAuth documents, we weren’t exactly sure about the following warning.

“Never store your credentials or access tokens in your version control system.”

What does “version control system” mean here? Does it literally refer to VCS like GitHub? One of our plans to handle the tokens was to encrypt and store them in our backend system and not push it to our repository - would this plan work, or should we move on to a different one?

Also, I was curious how other application developers encrypted their tokens. Would there be any tips or recommendations for it?

Thank you, and have a great day!

Yes, the version control system is a GitHub like repository system. OAuth access tokens and refresh tokens should be stored encrypted in a secure database or keychain. Your application should use a strong encryption standard such as AES. The production encryption keys should not be accessible to database administrators, business analysts, developers, or anyone who does not need them. The tokens that these keys protect can be used to perform actions on behalf of the seller and should be guarded appropriately. The encryption keys should not be stored in source control and should only be accessible by server administrators… :slightly_smiling_face: