Context I'm using NestJS to handle the backend for my application. My application also requires sending emails programatically for which I'm using Zoho (and their API) since that's the email client I want to use for my team.
Problem Zoho uses oauth 2.0 to protect their API instead of an API-key (that can be stored in an environment variable). I have to authorise these tokens manually from my Zoho account every time the server starts, after which they're stored in memory (in a helper class). Now that I'm deploying for testing, most services have spin-down limit (server spins down after a period of inactivity) which means the tokens are gone. What is the best way to store these tokens so that I have access to them post spin-down? Or is there a better way I should be handling these tokens?
- I considered writing them to the disk and reading them on server start if present, but that poses a security risk. 2/ Tried to look for a service that didn't have spin-down but found nothing with the minimum budget.
Currently saving the access_token and refresh_tokens in the DB after encrypting them as a JWT. Any other encryption technique would also work but I had services for JWT all written out. This seems secure enough since my server is the only source that knows the signing-secret, so even if someone was to get access to the tokens during transmission between server and DB, or if DB were to get compromised, the tokens would be useless and my mail account would still be safe.