I'm developing a Reactive Web App. In the app, I'm using APIs that are protected by oAuth, so basically bearer-tokens. Question about the tokens!

In traditional web app I'd store the token (which has quite short TTL) in Session Variable, as it does not need to be persisted for a long time and it's ok to fetch it again every now and then. As session variables are stored in server side, they don't leak that easily so I believe this is pretty standard way to achieve the thingy.

Then comes Reactive Web App. We don't have sessions any more as our backend is stateless. What we have is a Client Variable. As client variable is stored in browser memory and accessible through web development tools, it sounds a bit sketchy place to store security tokens. Are client variables encrypted somehow?

If I can't use client variable, only way to store it safely is to store token in database and use all queries from backend (so token is never stored in frontend at all). I guess this is the best practice anyways. 

I'm interested of approaches you've taken and if someone (e.g. from OutSystems) can explain how client variables are protected (or are they).