> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure Token Storage

OAuth 2.0 access and refresh tokens are sensitive credentials that grant access to user data. **Storing tokens securely is critical to maintaining the integrity of your integration implementation and protecting user data.**

Improper storage can lead to:

* Account compromise if tokens are stolen
* Unauthorized API access
* Broken integrations due to revoked or leaked tokens

## Recommended Storage Practices

### Frontend Clients (SPAs, Mobile Apps)

* Use **HTTP-only, Secure cookies** for storing tokens in web applications.
* Use platform-specific **secure key stores** (e.g., iOS Keychain, Android Keystore) for mobile apps.
* Never store tokens in **local storage, session storage, or plain text files**.

### Backend Applications / Server-Side

* Store tokens in **encrypted databases** or **secure vaults**.
* Apply **strict access controls** to token storage.
* Rotate encryption keys and credentials periodically.

### General Security Guidelines

* **Encrypt tokens at rest** and in transit.
* **Avoid logging tokens** or including them in error messages.
* Implement **token revocation and cleanup** procedures for inactive users or expired tokens.
* Use a [**centralised token refresh mechanism**](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-centralised-token-refresh) to minimise the number of storage locations.

## Monitoring and Auditing

* Track access and refresh token usage to detect suspicious activity.
* Monitor for failed refresh attempts, which may indicate expired or compromised tokens.

## Related Reading

* **[OAuth 2.0 Overview](/docs/current/integration-design/auth/oauth/integration-design-auth-oauth-overview)** - introduction to OAuth 2.0 for Pleo integrations
* **[API Keys Overview](/docs/current/authentication/standalone-api-keys-overview)** – alternative authentication method
* **[Tokens Overview](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-token-overview)** – understanding access and refresh tokens
* **[Centralised Token Refresh](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-centralised-token-refresh)** – safe token refresh patterns
* **[Race Condition Prevention](/docs/current/integration-design/auth/oauth/token-lifecycle/integration-design-auth-oauth-race-condition-prevention)** – avoid duplicate token refresh attempts
* **[OAuth 2.0 Setup Workflow Guide](/docs/current/guides/oauth-workflow-guide)** - Step-by-step guide to configure OAuth 2.0 for your integration