We should encrypt (with salt) the tokens in the datastore, with a static key deployed with the app. Tokens are already encrypted at rest, and this isn't a silver bullet against other attacks, but it defends against SQL injection style attacks that exfiltrate keys through the app itself. (We're not subject to SQL injection since we don't use SQL, but the broader idea still applies.)
We should encrypt (with salt) the tokens in the datastore, with a static key deployed with the app. Tokens are already encrypted at rest, and this isn't a silver bullet against other attacks, but it defends against SQL injection style attacks that exfiltrate keys through the app itself. (We're not subject to SQL injection since we don't use SQL, but the broader idea still applies.)