I started working on a Bot/Dashboard similar to Nightbot as a learning project and I’m not sure how to handle OAuth tokens after I receive them. I know that I use them to make API calls based on the scopes assigned, but do I store them in a database and grab it when needed? Is that a security risk? Do I need to handle refreshing tokens since they now expire? The server for the application will handle all Twitch API calls and the client will only interact with the application; the client will not have direct calls to the API
Documentation does not really talk about how to handle tokens after receiving them (unless I missed it somewhere) so I could use some clarification. I can try to provide additional information if needed.Thanks!
The documentation doesn’t really clarify how to store the tokens because that is usually the developers job on how they handle tokens. Although they do specify a warning
Warning: Treat your token like a password. For example, never use access tokens in any public URL, and never display tokens on any web page without requiring a click to de-obfuscate. Keep tokens private!
So ultimately you can store them however you want. The security aspect depends on your knowledge of handling sensitive information. If there are no API calls being made client side but requests your server to make the request to the API for them, you can then make the request server side then send back the data to them. In this case, storing the tokens in a database or file wouldn’t hurt.
As long as the tokens don’t expire you can continue using them. Once they expire you will need to refresh them.