How should I store authentication tokens securely?

Store tokens in httpOnly cookies (web), secure storage (iOS Keychain, Android Keystore), or memory (SPAs). Never store in localStorage, sessionStorage, or plain text files. Use environment variables for API keys on servers.

What are common token security vulnerabilities?

Common vulnerabilities include: storing tokens in localStorage (XSS attacks), weak token expiration, no token rotation, exposing tokens in URLs/logs, using weak signing algorithms, and not validating token signatures properly.

How often should I rotate tokens?

Rotate access tokens frequently (15 minutes to 1 hour). Refresh tokens should be rotated less frequently (7-30 days) but immediately if compromised. API keys should be rotated every 90 days or when compromised.

What is token privacy and why does it matter?

Token privacy means protecting user data in tokens, not logging tokens, and ensuring tokens aren't exposed. Privacy matters because tokens can contain sensitive user information (email, ID, permissions) that must be protected under GDPR, CCPA, and other regulations.

Should I log tokens for debugging?

Never log full tokens. If needed for debugging, log only token metadata (user ID, expiration, token type) or use token hashes. Full tokens in logs are a major security risk and privacy violation.

Token Security & Privacy: Best Practices, Dos & Don'ts

Token security and privacy are critical for protecting user data and preventing unauthorized access. This comprehensive guide covers best practices, common vulnerabilities, dos and don'ts, and privacy considerations for working with authentication tokens.

Whether you're working with JWT tokens, API keys, or OAuth tokens, following security best practices is essential for building trustworthy applications.

✅ Security Best Practices

Use Strong Signing Algorithms

Always use strong cryptographic algorithms for token signing. For JWT, prefer RS256 (RSA) or ES256 (ECDSA) over HS256 (HMAC) when possible.

✅ RS256: Asymmetric, more secure

✅ ES256: ECDSA, good for mobile

❌ HS256: Symmetric, requires secret sharing

Set Appropriate Expiration Times

Use short-lived access tokens (15 minutes to 1 hour) and longer-lived refresh tokens (7-30 days). Balance security with user experience.

Access Token: 15-60 minutes

Refresh Token: 7-30 days

API Keys: Rotate every 90 days

Store Tokens Securely

Use secure storage mechanisms appropriate for your platform. Never store tokens in insecure locations.

✅ Web: httpOnly cookies

✅ iOS: Keychain

✅ Android: Keystore

✅ Server: Environment variables

❌ localStorage, sessionStorage

❌ Plain text files

Implement Token Rotation

Regularly rotate tokens to limit exposure window. Rotate refresh tokens on use, and implement automatic rotation for long-lived tokens.

• Rotate refresh tokens on each use

• Rotate API keys every 90 days

• Immediate rotation on compromise

Validate Token Signatures

Always validate token signatures before trusting token content. Never skip signature validation, even in development.

✅ Verify signature algorithm

✅ Check expiration (exp claim)

✅ Validate issuer (iss claim)

✅ Check audience (aud claim)

Use HTTPS Always

Always transmit tokens over HTTPS/TLS. Never send tokens over unencrypted HTTP connections. Use HSTS headers to enforce HTTPS.

❌ Common Security Mistakes (Don'ts)

Don't Store Tokens in localStorage

localStorage is vulnerable to XSS attacks. Any JavaScript running on your domain can access localStorage, making tokens easily stealable.

Don't Put Tokens in URLs

Tokens in URLs can be logged in server logs, browser history, and referrer headers. Use Authorization header instead.

Don't Log Full Tokens

Logging full tokens exposes them in log files, monitoring systems, and error tracking tools. Log only metadata or token hashes.

Don't Use Weak Algorithms

Avoid 'none' algorithm, weak HMAC keys, or deprecated algorithms. Always use strong, industry-standard cryptographic algorithms.

Don't Skip Expiration Checks

Always validate token expiration. Expired tokens should be rejected immediately. Implement clock skew tolerance (5 minutes) for distributed systems.

Don't Store Secrets in Code

Never hardcode tokens, API keys, or signing secrets in source code. Use environment variables, secret management systems, or secure vaults.

🔒 Privacy Best Practices

Minimize Data in Tokens

Only include necessary information in tokens. Avoid storing sensitive data like passwords, credit card numbers, or full user profiles.

✅ Include: user_id, email, permissions

❌ Exclude: passwords, SSN, credit cards

Don't Log Token Content

Never log full tokens or token payloads. If debugging is needed, log only token metadata (user ID, expiration) or use token hashes.

Implement Token Revocation

Provide mechanisms to revoke tokens when users log out, change passwords, or report security incidents. Maintain revocation lists for stateless tokens.

Comply with Privacy Regulations

Ensure token handling complies with GDPR, CCPA, and other privacy regulations. Allow users to revoke tokens and delete their data.

Use Token Encryption for Sensitive Data

If tokens must contain sensitive information, encrypt the payload. JWE (JSON Web Encryption) provides encryption for JWT tokens.

Common Vulnerabilities

Algorithm Confusion Attacks

Attackers can change JWT algorithm from RS256 to HS256 and use public key as HMAC secret. Always validate algorithm matches expected value.

✅ Always verify algorithm matches expected

✅ Use algorithm whitelist

✅ Consider PASETO (no algorithm confusion)

XSS Attacks on Token Storage

Storing tokens in localStorage makes them vulnerable to XSS attacks. Malicious scripts can steal tokens from localStorage.

✅ Use httpOnly cookies

✅ Implement Content Security Policy (CSP)

✅ Sanitize user input

Token Replay Attacks

Stolen tokens can be reused until expiration. Implement token rotation, short expiration times, and token binding (IP, device fingerprint).

Weak Secret Keys

Weak HMAC secrets or RSA keys can be brute-forced. Use strong, randomly generated secrets with sufficient entropy (256 bits for HMAC).

Quick Reference: Dos & Don'ts

Dos

Use strong signing algorithms (RS256, ES256)
Set short expiration times (15-60 min)
Store tokens in secure storage (httpOnly cookies, Keychain)
Validate token signatures always
Use HTTPS for all token transmission
Implement token rotation
Minimize data in tokens
Use environment variables for secrets

Don'ts

Store tokens in localStorage
Put tokens in URLs
Log full tokens
Use weak algorithms or 'none'
Skip expiration validation
Hardcode secrets in code
Store sensitive data in tokens
Use long-lived tokens without rotation

Compare Tokens Securely

Use our free Token Comparator tool to compare tokens. All comparison happens in your browser - your tokens never leave your device.

Open Token Comparator