After OAuth Completion, Where Should the Access Token Be Stored and How Do I Retrieve It Later?

Platform discussions monday apps & integrations
, , ,
1

I need to use a storage service from my backend using the Monday Apps SDK:

import { Storage } from ‘@mondaycom/apps-sdk’;

const storage = new Storage(‘<ACCESS_TOKEN>’);

According to the documentation, the ACCESS_TOKEN must be obtained via the OAuth flow:

  • The access token represents the user/account the app works for.
  • The sessionToken passed from the frontend will not work.
  • Access tokens do not expire and remain valid until the user uninstalls the app.
  • Monday’s OAuth flow does not support refresh tokens.

Given this, I have a few questions:

  1. Whenever my backend needs to access storage, do I need to provide an access token every time?
  2. Does that mean I need to run the OAuth flow repeatedly?
  3. Or is the recommended approach to generate the access token once during OAuth and store it securely on the backend?
  4. If Monday already stores the access token securely after OAuth:
  • How can my backend retrieve and use that stored token?
  1. If I need to store the token myself:
  • What is the recommended way to store the access token securely?
  • How should the token be revoked or retired when needed (for example, on uninstall or security concerns)?
2

Hello @Tamilarasi You do not rerun OAuth every time. You run OAuth once per installing account, receive a long lived access token, store it securely on your backend, and pass that same token whenever your backend uses the Storage SDK.

monday does not expose a way for your backend to retrieve a token it stores. After OAuth, your app owns the token lifecycle.

Recommended approach
Generate the access token during OAuth
Store it server side as a secret (encrypted at rest, never logged, scoped per account)
Reuse it for all backend Storage access

Revocation and cleanup
Listen for the app uninstall event and delete the stored token and related data. Once uninstalled, the token is no longer valid.

Dr. Tanvi Sachar
Monday Certified Partner, Tuesday Wizard

3

Hi @Tamilarasi . Just checking on this as I have a same question. Do you have a solution already regarding on where to store the oauth token in backend side? What is your solution? I’m currently figuring out as well how to store it in server side since monday.com doesn’t have a database like sql and we need also the oauth token to fetch specific storage values in the monday sdk.. Thanks