How I solved app-to-web authentication for subscriptions
The problem
I needed to move an authenticated user from a mobile app to a website so they could complete a subscription flow outside the app.
The challenge was authentication.
The user was already logged in inside the app, but the website did not know who that user was. Asking the user to log in again would create friction, but sending credentials directly from the app to the website would be unsafe.
So the main question was:
How can I securely transfer the user session from the app to the web without exposing sensitive data?
What I did
I created a temporary authentication flow using short-lived tokens.
When the user taps the subscription button inside the app, the backend generates a temporary token and stores it in Redis with an expiration time.
Then, the app opens the subscription website using Expo Web Browser and sends only that temporary token.
On the web side, the backend validates the token, checks if it is still valid, identifies the user, invalidates the token, and creates a new authenticated web session.
In practice, the token works only once and only for a short period of time.
Why I did it
I wanted the flow to be simple for the user, but still controlled and secure from the backend side.
The user does not need to log in again, and the app does not need to expose credentials, passwords, or long-lived tokens to the browser.
Redis was useful because temporary tokens need to expire automatically. This makes the flow safer and easier to manage.
This approach also keeps the responsibility where it belongs: the backend controls authentication, the app only starts the flow, and the website only trusts validated temporary tokens.
What's next
The next step is to improve this flow with additional security checks, such as device validation, IP verification, rate limiting, and better monitoring.
I also want to add more observability to understand how often users start the subscription flow, how many complete it, and where they drop off.
This would make the solution not only secure, but also measurable from a product and engineering perspective.