[heme]

Is not a session cookie the same thing? I'd argue if your tokens only live in memory they can be more secure. It also depends how long your tokens live or how many requests they are good for. No?

[1337badger]

Usually the token kept in memory is one distributed by the application and is not that which the services send back. This allows greater restriction on actions and make it far easier to revoke effectively

[heme]

Usually the token kept in memory is one distributed by the application and is not that which the services send back.

What is application in that sentence? The API?

Isn't that what this lib does?

A client-side Javascript SDK for authenticating with OAuth2 web services and querying their REST API's.

- I assume the API issues the token - This lib receives it and uses it for subsequent calls - The token is destroyed when browser session is closed.

[1337badger]

I am referring to the application you are writing

[tracker1]

The token in this case is for the local user, that you know, logged into the service in question... How is it insecure for my browser, with me in front of it, to be logged into facebook? I mean, yes, if you're using anything other than a session cookie or sessionStorage, there's risk from other users on the system... but with an SPA, without any hard storage, it's no less secure than using that site/app.