Best Practices to manage 3rd Party API tokens

There are lots of 3rd Party APIs available in the wild. I’m seeing many 3rd party APIs use the OAuth 2.0 protocol to authenticate programatic access to their API. While I’ve seen may examples online of retrieving Oauth tokens, I haven’t seen much regarding best practices to manage tokens/expiration/rotation/etc.

I’m currently building my first serverless app on top of an API that uses the OAuth protocol for authentication. Users give my app permission to access the 3rd party API on their behalf, which results in me getting an OAuth token for each user of my app. My app periodically uses this token to make calls to retrieve user info.

I am currently managing (storing, rotating, etc) my users OAuth tokens manually, which seems like a heavy lift for such a common use case. I had hoped there would be a service that could store/rotate/etc my users OAuth tokens. AWS Secrets manager provides auto rotation of tokens, which sounds perfect for my use case. However, at .40 cents/month per secret, it doesn’t seem like an affordable solution to me (my 3rd party API has an oauth secret per user).

How are people managing their 3rd party API tokens? This use case seems very common, but I can’t seem to find examples anywhere. This is leading me to believe I’m approaching this all wrong!

1 Like