Hi John, thank you for the help.
Architecture is simple. Using Auth0 for my generic authentication / authorisation service and using a 3rd party API to get some of the users data. The access token is to access this 3rd party API.
I totally agree, whenever storing access tokens (or other critical secrets) I want to be very diligent. And that is why I would prefer if i can rely on a service like Auth0 that already stores such secrets for me. The alternative is that I build the storage for this and take care of storing it safely. Doable but probably a day or two of work and a bunch of headache for maintenance. Trying to save that time unless it means compromising security of the access token.
Thanks a lot for the help again.