Resources / Extension Architecture
Auth flows for MV3
Use external pages + redirect flows; store only what the client must know.
Patterns
- System browser or web auth flow (redirect) rather than embedded secrets.
- Short-lived access tokens; refresh handled server-side.
- Scopes map cleanly to extension permissions and user actions.
Storage
- Avoid long-term secrets in the client.
- Prefer session tokens or backend proxies that mint scoped tokens.
- Rotate and expire aggressively; encrypt at rest where applicable.
Pitfalls
- Embedding client secrets in the extension package.
- Over-broad scopes not tied to explicit user intent.
- Silent auth flows without user awareness or consent.