Hello darkness, my old friend (or: client-side handling of access tokens)
I've been working quite a bit with Daily meeting tokens lately. My pre-Daily work with access tokens has mostly involved server-side flows, so I got to do all the fun parts and let other teams figure out how they want to deal with tokens on their native clients from there.
Now, I've been working more with client-side handling of meeting tokens, which is much trickier imo. It has been very interesting in self-defeating kind of way. My descent down the rabbit hole of safe token handling on the client went from "wellll it really depends on the use case", to "which security compromise is one willing to make", to "...nothing is secure... everything is temporary... hello darkness, my old friend..."
It's been fun! And despite the above, there are definitely some concrete guidelines on safe handling of meeting tokens (some of which I cover in this recent blog post and accompanying meeting token guide).
Curious how others feel about handling access tokens on the client-side, whether meeting tokens or some other token? Have you had any use cases requiring persistent storage of tokens on the client (via a cookie or local storage or something else?) Have you ever had to make compromises in your app functionality/feature set for the sake of security (or vice versa)?