Secure Token Storage - Pleo Docs

Recommended Storage Practices
Frontend Clients (SPAs, Mobile Apps)
Backend Applications / Server-Side
General Security Guidelines
Monitoring and Auditing
Related Reading

OAuth 2.0 access and refresh tokens are sensitive credentials that grant access to user data. Storing tokens securely is critical to maintaining the integrity of your integration and protecting user data. Improper storage can lead to:

Account compromise if tokens are stolen
Unauthorized API access
Broken integrations due to revoked or leaked tokens

Recommended Storage Practices

Frontend Clients (SPAs, Mobile Apps)

Use HTTP-only, Secure cookies for storing tokens in web applications.
Use platform-specific secure key stores (e.g., iOS Keychain, Android Keystore) for mobile apps.
Never store tokens in local storage, session storage, or plain text files.

Backend Applications / Server-Side

Store tokens in encrypted databases or secure vaults.
Apply strict access controls to token storage.
Rotate encryption keys and credentials periodically.

General Security Guidelines

Encrypt tokens at rest and in transit.
Avoid logging tokens or including them in error messages.
Implement token revocation and cleanup procedures for inactive users or expired tokens.
Use a centralised token refresh mechanism to minimise the number of storage locations.

Monitoring and Auditing

Track access and refresh token usage to detect suspicious activity.
Monitor for failed refresh attempts, which may indicate expired or compromised tokens.

OAuth 2.0 Overview - introduction to OAuth 2.0 for Pleo integrations
API Keys Overview – alternative authentication method
Tokens Overview – understanding access and refresh tokens
Centralised Token Refresh – safe token refresh patterns
Race Condition Prevention – avoid duplicate token refresh attempts
OAuth 2.0 Setup Workflow Guide - Step-by-step guide to configure OAuth 2.0 for your integration

Race Condition Prevention Handling Refresh Token Expiry or Revocation

⌘I