Where do I store the token?

I have a mobile app (html5 cordova) that talks to a Apigee 127 api layer (as of now hosted on Apigee Edge). The a127 app front ends a backend OAuth server that responds with an Access token.

As with any other OAuth flow, this token has to be passed on in the header of all the subsequent API requests. Now where do I store the token?

1. Do I store it in the mobile app? (have separate implementations for iOS and Android) OR

2. Do I store it in the a127 app? The nodesJS app is also a pass through for the other backend APIs. So when a call comes to a127, the app injects the token to the request and passes it on to the backend API.

I am leaning more towards Option 2. But wouldn’t that be akin to putting all eggs in one basket? Additionally is all this possible with a127?

@sganyo

I think the answer is going to depend on what you’re protecting, and also on how you view the api layer and the apps.

IMO, the standard path would be to associate the token with the mobile app. In general, this is the client that is being granted access, so it makes sense that every instance would get its own token.

Option 2 could make sense to me if the “app” in this situation were the API layer, and you didn’t really worry about controlling at the individual devices. I think this woulrd work when you’re not really doing any security from the app->api.. e.g. just some public data, but the back end system the api is built with requires auth.