Short-lived JWT tokens are used for authenticating API requests and should not be stored persistently. The reason is that JWT tokens typically have short expiration times (e.g., 15 minutes to 1 hour), and storing them long-term poses security risks. If a JWT token is compromised (e.g., through a security vulnerability or device compromise), it can be misused until it expires.
Best Practice: Instead of storing JWT tokens, store Refresh Tokens, which are longer-lived and can be used to obtain new JWT tokens when they expire.
In a Kotlin Multiplatform (KMP) project, you should abstract the storage of Refresh Tokens in a way that is secure on both Android and iOS.
Android: Store the refresh token securely using Keystore or EncryptedSharedPreferences.
iOS: Use the Keychain to securely store the refresh token.
The JWT token is kept in memory and used temporarily for API requests, while the refresh token is stored securely on the device, ensuring that it can be used to obtain new JWT tokens when needed.