Learn about security best practices while developing on Smartcar.

At Smartcar, our priority is to ensure the security of your data as well as your app users' data. This guide goes through some of the best practices you can follow to keep your application and user data as secure as possible.


Client Credentials - Your client credentials consist of your client ID and client secret. Think of these as your username and password to Smartcar.

Authorization Code - An authorization code represents a user's consent to grant your application access to their vehicle.

Access Token - An access_token represents your application's access to a vehicle on behalf of the vehicle owner.

Refresh Token - A refresh_token gives you the ability to renew your access_token.

Token security

Client security

Your application should load your client secret via an environment variable.

Never expose your client secret.
Read more about storing your credentials in environment variables.

Authorization code

You don't need to store your authorization code. Instead, exchange it for an access_token in your back end, immediately after receiving it. The authorization_code expires 10 minutes after being issued.

Access token

Store your access_token in a persistent store in your back end (e.g. SQL DB or session store). If you expose your access_token in your front end, your application's security will be at risk, potentially giving bad actors access to your users' data.

Never expose your access token on your front end.

Refresh token

We recommend that you keep your refresh_token and its expiration in the same store along with your access_token.

Further reading

Read the OAuth2 spec about security considerations.