Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.discovr.media/llms.txt

Use this file to discover all available pages before exploring further.

Authentication security boils down to protecting refresh tokens and handling them correctly.

Your responsibilities

Don’t expose tokens

Never:
  • Log tokens to console, file, or error tracking
  • Put tokens in URLs (e.g., ?token=...)
  • Send tokens in unencrypted connections
  • Store tokens in plain text or localStorage (SDK handles this)
  • Share tokens across users or devices
Why: Tokens in URLs appear in browser history, server logs, and HTTP referer headers. If exposed, attackers can impersonate users.
If you ever see a token in your logs, console, or URLs, that’s a security issue. Review your code immediately and revoke affected tokens.

Use HTTPS only

When redirecting to/from sign-in, always use HTTPS. HTTP is only safe for localhost development. 
// Good: HTTPS redirect
const redirectUri = "https://myapp.com/auth/callback";

// Good: localhost development
const redirectUri = "http://localhost:3000/auth/callback";

// Bad: HTTP production
const redirectUri = "http://myapp.com/auth/callback"; // ❌ Don't do this

Sign out when needed

Call signOut() when:
  • User clicks “Sign Out” button
  • User logs out of your app
  • Account security concern detected
  • App is closed on sensitive devices
// When user clicks sign out
async function handleSignOut() {
	await client.signOut(); // Revokes this device's refresh token
	// Clear local state, redirect to login page
	redirectTo("/login");
}

What the SDK handles for you

Refresh token storage: Securely stored (Keychain, EncryptedSharedPreferences, HttpOnly cookie) ✅ CSRF protection: State parameter in web flow validated automatically ✅ Token refresh: Session tokens auto-refresh before expiry ✅ Tokens never logged: SDK doesn’t log tokens ✅ Tokens never in URLs: SDK sends tokens in Authorization headers, not URLs You don’t need to worry about these—SDK handles them automatically.
Never try to access or log tokens. Let SDK manage them entirely.

Platform-specific storage

TypeScript / Web

SDK stores refresh token in:
  • HttpOnly cookie (secure, inaccessible to JavaScript, protected against XSS)
  • Or secure storage depending on SDK configuration
HttpOnly cookies are the most secure option for web apps—attackers cannot access them via JavaScript even if they inject code. 
// SDK handles storage automatically
const client = new DiscovrClient("your-client-id");
await client.signInWithPopup();
// Refresh token stored in HttpOnly cookie

Kotlin / Android

SDK stores refresh token in:
  • EncryptedSharedPreferences (encrypted on device, only accessible to your app)
// SDK handles encryption automatically
val client = DiscovrClient(clientId = "...", storage = defaultStorage)
val result = client.signInWithWebAuth()
// Refresh token encrypted in device storage

Swift / iOS

SDK stores refresh token in:
  • Keychain (iOS’s secure credential storage)
// SDK handles Keychain storage automatically
let client = DiscovrClient(clientId: "...")
try await client.signInWithWebAuth()
// Refresh token stored in Keychain

Advanced: Custom client security

If building a custom client without DiscovrSDK:
signOut · signInWithPopup · signInWithWebAuth Questions? See the full authentication overview or getting started guide.