LogoLogo
PlatformReference
  • Welcome to Rollup
  • An Introduction to OpenID Connect (OIDC)
  • The Rollup Identity Graph
  • Getting Started
    • Create an Application
    • Setup Auth Flow
    • API Access
  • Guides
    • Storing Tokens
    • Session Management
    • Using Scopes
      • Requesting Email
      • Requesting Connected Accounts
      • Requesting Smart Contract Wallets
    • Third Party Auth Tools
      • Setup with Auth0
      • Setup with Supabase
      • Setup with NextAuth.js
  • Platform
    • Console
      • Dashboard
      • OAuth
      • Blockchain
      • Designer
      • Custom Domain
      • Users
      • KYC
      • Messaging
      • Audience Builder
      • Teams & Contact
      • Billing
    • Passport
    • Galaxy
  • Advanced
    • Tokens
    • Pop Up Auth Flow
    • Create Custom Claims
    • Migration Guide
  • Reference
    • Galaxy API
    • Passport API
    • Scopes
  • Troubleshooting
    • FAQ
  • Roadmap
  • Contributing
  • Login to Console
Powered by GitBook
On this page
  • ID Token
  • Access Token
  • Refresh Token

Was this helpful?

Edit on GitHub
Export as PDF
  1. Guides

Storing Tokens

How to connect users to your database

PreviousAPI AccessNextSession Management

Last updated 1 year ago

Was this helpful?

After completing the and obtaining a user's ID token and access token, you can choose from several strategies to connect users to your app's database. For more information on the ID token, refer to the documentation.

ID Token

You can create a user in your database using the ID token. The ID token contains the user's unique identifier in the subject (sub) field, which can serve as a reference for the user in your database. The ID token also includes the user's profile information, allowing you to populate user details in your database accordingly.

Access Token

The access token also contains the user's unique identifier in the subject (sub) field. You can use this to identify the user in your database. Additionally, the access token includes the user's consented scopes, which help you determine the information you can access from the user's profile using the .

Make sure to store the access token securely in your database or another safe storage mechanism accessible to your application.

Refresh Token

In addition to storing ID tokens, you may also need to store refresh tokens in your database. Refresh tokens are used to obtain new access tokens without requiring the user to re-authenticate. This can be particularly useful for providing a seamless user experience, especially for applications that require long-lived sessions.

When you receive a refresh token, it should be stored securely in your database, associated with the user. Here's an example of how you might store a refresh token:

{
  "userId": "{userId}",
  "refreshToken": "{refreshToken}"
}

When the access token expires, your application can use the stored refresh token to request a new access token from the Rollup ID authorization server. This request would include the refresh token along with your application's client ID and secret.

It's important to handle refresh tokens securely because they can be used to obtain new access tokens. If a refresh token is leaked, it could potentially allow unauthorized access to the user's resources. Therefore, refresh tokens should be stored securely and treated with the same level of care as the user's credentials.

To learn more about using refresh tokens with Rollup ID, refer to our and resources.

auth flow
Tokens
Galaxy API
API documentation