I've been working on implementing an api in c#. The implementation is going well, but I did come across a concern.

When my library has authorized against the api I have a auth_token which I use for consequent queries to the webservice.

The token needs to be kept between program runs as it stays the same for the user (although I do check if it is still valid when the application starts).

For testing purposes I basically just save the token into a text file which is kept in the root directory of the app.

This works fine, but is this the best way?

Not sure the user will appreciate that it gets saved in a cleartext file (even if it is on his own pc).

So, what is general practice for saving tokens like this?

I would use the Windows Data Protection There are numerous examples around on how to use it from C#. It uses a user specific key to encrypt the data. Only the user themselves can decrypt it. Also be sure to secure the data during transmission between the server and the client.

Create a settings file for your project in the project properties, add a AuthToken property to the known settings (probably at the user level), then use:

Properties.Settings.Default.AuthToken = userAuthToken;

If you think they'll want it hidden, encrypt or encode the userAuthToken so it is less obvious.

You can verify if the api is used under asp.net or windows environment ( it's enough to check if Request is null) and on the first case use a cookie, on the latter save it on a registry key.