Storing information at localStorage

I a have a SPA + API application and I want to know if it’s safe to store token and scopes at the local storage.

In this article API and SPA Configuration (SPAs + API) the token information is being saved on the localStorage. But this another article Token Storage, says to do not store tokens on local storage.

The best practice is to not store tokens in local storage or cookies accessible by JavaScript. Storing it using those techniques means hackers can relatively easily try and steal the token from your users.

I’d follow the best practices in the article you linked ( store the token in memory and reauthorize at every refresh of the SPA. You can make this more seamless by using Seamless SSO or Silent Authentication.

Alternatively, you could do authentication at the API level and store user sessions server side. But it depends on your backend if that’s possible and feasible.


In the link I send there’s 3 options: Regular Web App Login flow, Native/Mobile Login Flow or Hybrid Flow. Should I use the hybrid one? Since in the Regular Web App flow the client secret need to be kept in the client-side?

Are there any examples of using one of the three suggested methods (Authorization Code Flow , Authorization Code Flow with Proof Key for Code Exchange, or Hybrid Flow) in order to not store a token in localStorage? I currently have an Angular 5 app accessing a Asp.Net Web API and am storing the token in localStorage, then using auth interceptor to attach it to API calls to the server. How can I use one of these three methods to avoid using localStorage?

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?