I am looking for some best practices regarding security of an access token. I am building a React / Next JS 14 app and I am using a third party to retrieve financial data from a user’s bank account (Plaid), and one of the things that is sent back when they connect a bank account is an access token. This access token is a permanent identifier of the account / user, and does not expire. I have stored it in the database on the user’s table; however, I don’t know exactly how to use it.
I know it is bad security to expose the access token on the client side; but does this mean that every time I perform a plaid request on the server side, I first have to make a call to my database (based on something like user id), to get the access token? This sounds sort of tedious and inefficient to have to make this same database call for all of my plaid calls to get the access token, but is this just best practice and something I have to put up with? Or is there some sort of way to cache the access token server side for reuse? I know of caching using local, session, and cookies on the browser, but again that is client side and insecure. I am not sure what to do here. Any thoughts sure would be helpful. Thanks!!