Token from "getAccessTokenSilently" in frontend insecure?


I have a question regarding the “correct” use of the “getAccessTokenSilently” function.

As I understand it, I get a token here and it is stored in memory and then read from it when it is needed. I am currently using my own Axios instance, which has an interceptor function and writes the token to the header. But theoretically this token could be intercepted by anyone in the frontend or not? I would therefore like to know what would be the best way to make the whole thing reasonably secure.

Sorry if this is the wrong subcategory!

Thanks in advance!

Hey there @manuel.poelzl1!

Assuming the Axios instance and general coding practices are secure, storing tokens in memory and utilizing HTTPS along with other best practices provide a reasonable level of security.

Thank you very much for your reply @tyf!
But theoretically speaking, wouldn’t it be possible for someone to just add a breakpoint with the browser DevTools and then just execute the getAccessTokenSilently function?

This maybe Is a stupid question, but I just want to make sure.

1 Like

Happy to help!

I suppose they could, but it could only be invoked by an authenticated user within their own session.

1 Like

That makes sense!
Thank you very much for the explanation!

1 Like

No problem, happy to help!