Storing Bearer Token for external APIs

ajur58 · February 15, 2023, 10:20am

Hello everyone,

I’m implementing an app that consumes an external API. The API returns a Bearer Token valid for 2 hrs after logging in, to be used for every subsequent request. I’m new to Elixir and was wondering where to store this token for the future.

My current approach:

Standalone application (Agent) to handle communication with this external API
When the app is started, it tries to authenticate and get the AuthToken (checking expiry date etc)
The token is saved in the agent’s state, it will be read from here in future calls.

Alternatives that I can think of :
a. Put the AuthToken into env variables with Application.put_env/3 → slight security concerns as if the app crashes, env variables could get dumped to the console. Also, other apps will never need this, so it feels strange.
b. Write it to DB? Could be an overkill, but at least there’ll be one entry per new token, good for tracing.
c. Write to disk.

Might be a dumb question, but would be grateful if someone helps a noob out
Thanks!

stefanchrobot · February 15, 2023, 10:44am

Keeping the token in memory means that it will most likely not survive application restarts (unless you have distribution configured). If that’s an issue, I’d store it in the DB as an encrypted field. If that’s not a concern, keeping it in an Agent seems fine to me.

Note that keeping the token in memory can make it leak - if a process crashes, the current process state can get dumped to a log file. For improved security consider wrapping the token in a struct with overriden Inspect implementation or using a redacted field in Ecto.

ajur58 · February 17, 2023, 9:53am

Thanks for your answer! Interesting stuff about leaky process state, will definitely keep it in mind.