2

Plaid and security newbie here.

From what I understand, access tokens are valid indefinitely, granting the user access to information regarding one of their accounts. Each account possesses a unique access token, and the tokens can only be invalidated either through the 'delete' request or through a user changing their password for that specific bank/account.

I'd like to keep them secure, and reduce the risk of them being accessed by hackers/nefarious actors, etc.

What would be the best way to store them though? From what little I know, it might be best to keep them in the backend and use them when needed to access user data on request, then send that resultant data to the frontend (with other protections in place like verification and authentication of the user).

Is there a more secure way to store them? Perhaps to encrypt them between calls?

And a follow-up, any thoughts on storing these tokens in something like Supabase? From what I've read and seen, Row Level Security might help mitigate some of the risk, no?

workinprogress98
  • 85
  • 3

1 Answers1

1

Your general thinking seems right to me -- access tokens should be stored in an access-controlled database on the backend and never stored on the client side. Encrypting access tokens at rest is recommended but not required. As you think about your security model, note that that the access token alone doesn't grant data access -- the access token + API client ID + API secret key combination is required for data access.

Alex
  • 1,245
  • 1
  • 9
  • 10