If you are looking to do something like Github’s Personal Access Tokens (PAT) then it is easiest to just think about it like a password:
Create a high entropy (secure) string
Store the hash of the string in a database table
Store the permissions and other metadata with the PAT’s hash
Validate the PAT (permissions, revoke status, etc) on each request to the server
Storing the hash of the token, like you do with passwords, is a good practice in case your db is ever compromised as it wont leave the tokens accessible and reusable without a lot of effort.
If you are looking to do something like Github’s Personal Access Tokens (PAT) then it is easiest to just think about it like a password:
Storing the hash of the token, like you do with passwords, is a good practice in case your db is ever compromised as it wont leave the tokens accessible and reusable without a lot of effort.