Yes I know how a session works, lol. It’s just that for my usecase, I wanted to have something completely stateless, i.e. no database, no session, no nothing, so storing it on the user’s device in an encrypted fashion would be the only option. I’m not really sure what your point is anyway? My question got answered and the way I’m doing it now works perfectly fine (i.e. just send the access token to the server with each request to prove that the user is logged in with twitch and authenticated with my app).