What are Client Managed Tokens?
Client Managed Tokens is the model where your application takes responsibility for securely storing and managing theauth_token and refreshToken that are returned after a user connects their account through Mesh Link.
This is the key to enabling the “Seamless Return Experience,” where a user who has connected their account once does not need to log in again for future transactions.
Why is CMT the Recommended Approach?
We strongly recommend that clients manage their own tokens for a crucial reason: security. By storing the tokens on your own secure backend, you maintain full control over your users’ data and connections. This aligns with security best practices and prevents Mesh from becoming a “honeypot,” which would be a centralized target for potential attacks.How to Implement Client Managed Tokens: A Step-by-Step Guide
Implementing CMT involves a five-step process that covers capturing, storing, and utilizing the tokens.Step 1: Get Tokens from the SDK
Use theonIntegrationConnected() SDK callback function to capture the accessTokenPayload after the user successfully connects their account. You will need to capture and store the following key fields:
accessTokenrefreshTokenexpiresInSecondsrefreshTokenExpiresInSecondsbrokerTypebrokerName
Step 2: Associate Tokens with a User
On your backend, you must associate the set of tokens you just received with a unique identifier for that specific user in your system. This is a critical step to ensure that you only ever use a token for the correct user and do not mix up account data.Step 3: Store Tokens Securely
It is essential to store the tokens with the utmost security. The tokens should be stored in a secure and encrypted storage layer on your backend, such as a key management system (KMS) or an encrypted database.🔒 Security First Never store auth_token or refreshToken in an insecure location, especially on the client side (e.g., in browser local storage) for production applications.
Step 4: Implement Token Refresh Logic
Some tokens, particularly from OAuth integrations like Coinbase, will expire. To maintain a persistent connection, you must implement logic on your backend to refresh them.- Check if the
expiresInSecondsvalue is present. If it is, you need to refresh theaccessTokenbefore it expires. - Record the timestamp when the token was obtained.
- Before that timestamp plus
expiresInSecondsoccurs, make aPOSTrequest to the/api/v1/token/refreshendpoint, including therefreshToken, to get a newaccessToken. - If a
refreshTokenExpiresInSecondsis also provided, implement the same logic for therefreshTokenitself.
Note: It is considered bad practice to wait for a 401 Unauthorized error before refreshing a token. Proactive refreshing provides a much better user experience.
Step 5: Pass Tokens to the SDK for Return Users
The next time the same user initiates a transaction, you will pass their stored and validaccessToken in the accessTokens parameter when you initialize the Link SDK. This will bypass the authentication step and take the user directly to the transfer flow, creating a seamless, one-click experience.