After discussing with @Fursum we came to the conclusion that best way to handle osu! API is to request data in backend and send it to frontend. This is needed as we didn't want to send bare access token to the users to avoid some exploits.
This implementation sends the encrypted access token inside our own JWT so that the key is stored in end user but they can't directly use it in osu! API endpoints.
This eliminates the need to handle and track access tokens in some sort of session system in backend.
After discussing with @Fursum we came to the conclusion that best way to handle osu! API is to request data in backend and send it to frontend. This is needed as we didn't want to send bare access token to the users to avoid some exploits.
This implementation sends the encrypted access token inside our own JWT so that the key is stored in end user but they can't directly use it in osu! API endpoints.
This eliminates the need to handle and track access tokens in some sort of session system in backend.