I am developing an Android app and wondering if using FCM tokens also as authorization tokens (and drop the current custom tokens) would be a good practice.
- When application is started for the first time the user gets a new
- With the login data, the app also sends the token
- On successful login, the token is stored on the server (with an generated expiration date), and will be sent from now on with each
request from the client
- The server uses the token for validation of the request and for sending push notifications
- When token expiration date is passed, the requests will fail and user will be redirected to login
Everything good so far, but what about FCM token rotation?
Should I save the FCM token in shared preferences?
How about user being logged in on multiple devices?
Any advice on the matter would be much appreciated.