I know Monzo uses magic links and JWTs in the web application, but how do they handle authentication in the mobile app? If they still use tokens, how are these stored? I notice that I never have to login again, so if there’s refresh tokens, access tokens etc how are these being managed?
They use access tokens that expire after a few hours. It’s all in the API documentation
Presumably long-lived JWT or OAuth with refresh token stored in the device’s keychain?
Do you have a link to this bit of the documentation? I’ve read all the bits about authenticating with your own apps, but I haven’t seen anything about how Monzo authenticates users in their own mobile app.
Thanks! Do you reckon they use a non-expiring refresh/one that lasts months, years etc? I only ask because in the one year+ I’ve used Monzo, I’ve never had to login again. So it’s never seemed like any refresh token has expired. Hence I would wonder, if they’re using a long-lived JWT, what precautions are there to make sure no one else can use it? Any resources on auth in the mobile app always talk about about biometrics, and strong customer authentication, but barely anything on the actual mechanisms they use to identify people. Thanks for your response