An API token is a refresh token that is used to generate an authentication token in order to sign in to the Own Data Platform via API, in order to perform various operations within the Own account.
Since the API token gives access to operations that can affect the data stored in your Own account, it should be treated just as securely as a username and password or any other authentication method.
In order to grant access to the Own API through a customer-developed client application via an API token, you are required to store that credential in such a way that your client application can read it to call the Own API.
Therefore, the protection of the API Token is taken entirely out of Own’s control and is totally dependent on the level of attention to application security requirements. Own strongly recommends applying some of the good practices listed here and to avoid any of the poor practices.
Examples of good practice for storing the API token as an application secret:
Examples of poor practice for storing the API token as an application secret: