Handle token authentication on the client side

Given an API which uses token authentication (e.g., JWT), how would a client store and cache the token? To remedy the effect of stolen tokens, tokens usually expire after a certain amount of time. However, almost all applications require only to login once. How do they realize authentication? Do their tokens have no validity period or do the apps automatically apply for a new token?


Solution 1:

You can store your token in an Account Manager on Android. Regarding token validity all apps have this tokens expire from within hours to days depending on how fast you want to change them.

There is no specific way to handle expired tokens you will have to write your own custom logic for this. Generally what a lot of apps follow is if the user's token has expired they use an api that takes the old token and if the token is not a very old like if it expired within 1 - 2 days they give back a new token but if in any case the token is historic they will logout the user and ask him to again login by providing password and username via your basic OAuth mechanism.