Level 80
@vincent15000 It’s not “secure” to store a credential such as an API token in plaintext anywhere on the client. This is why Taylor created Sanctum for authenticating JavaScript-based applications.
1 like
Jun 20, 2022
4
Level 63
Best pratice to store an API token in the front
Hello,
I specify that, even if I know VueJS a bit, I have very small knowledge about security with VueJS. For me I have all to learn about security.
What's the best pratice to store an API token in the front ?
I have read several articles which all say that the best pratice is to store it in the localStorage or in the sessionStorage.
But I'm not sure it's really a best pratice.
I thought about storing it in the VueJS store.
But in both cases the value is readable via some browser devtools. And I'm not sure it's a good idea to let anyone be able to read the token.
What's your opinion about the storage of the token ?
Thanks for your answer.
V
Level 63
@martinbean Yes I already use Sanctum and when Sanctum sends the API token, I have to put it as a Bearer token in the header of each request.
https://laravel.com/docs/9.x/sanctum#issuing-mobile-api-tokens
So how can I put the token in the header of each request if I don't store the token anywhere in the front ?
Level 80
@vincent15000 Look at the URL. That’s for mobile apps. Not JavaScript. Mobile apps can deal with tokens because they can store it securely in something like iCloud Keychain, or whatever Google’s equivalent is.
For JavaScript, use https://laravel.com/docs/9.x/sanctum#spa-authentication
1 like
Level 63
@martinbean Ok thank you ;).
1 like
Please or to participate in this conversation.