OAuth tokens should never be stored as plain text. Encrypt access and refresh tokens at rest and restrict token access to the publishing service.
Recommended workflow
Refresh tokens before access expiry and show account health states such as connected, warning, expired, and disconnected.
Protect OAuth callbacks with session state values, CSRF checks, strict redirect URLs, and clear reconnect flows.
Measure and improve
Log every token refresh, API error, disconnect action, and publishing failure so administrators can diagnose issues without exposing secret values.