Token storage alternatives

external-Sukhad_Josh · March 19, 2026, 9:34am

Hi everyone,

I need to persist a sensitive authentication token (JWT) for the currently logged-in agent across page refreshes in my Custom App.
I cannot use client.db because it is shared across all agents (security risk), and sessionStorage/cookies are often blocked by browsers in cross-origin iframes.
Is there a built-in FDK method or officially recommended approach to securely store private, per-agent session data that survives an iframe reload?

Himanshu_Sharma · March 27, 2026, 6:20am

Welcome to the community!

Based on the current platform capabilities, there is no built-in method to store private, per-agent session data that survives an iframe reload.

For handling sensitive authentication tokens like JWTs, the following approach is recommended:

Dynamic Generation via SMI: Instead of persisting the token in the frontend, the JWT can be generated dynamically for each request using Server Method Invocation (SMI).
Request Templates: The generated token can then be included in the Request Template to securely interact with external APIs.

Browser-based storage (local storage or cookies) is not recommended for per-agent data due to security risks and cross-origin restrictions within the iframe. If the authentication follows a standard OAuth flow, the Agent OAuth mechanism should be used as the officially supported method for per-user authentication.

Regards,
Himanshu