An Android auth architecture with encrypted tokens, auto-refresh, and reactive navigation
A deep-dive into a production-grade Android authentication architecture that goes beyond simple token storage. The approach uses DataStore with Google Tink (AES-256-GCM) for encrypted token persistence, treats auth state as a reactive Flow so navigation responds automatically to login/logout/refresh events, and leverages Ktor's Auth plugin for transparent JWT auto-refresh. Key design decisions include two separate HTTP clients (plain and authenticated) to prevent refresh recursion, local JWT expiry checking with a 30-second buffer on cold start, and Koin DI to structurally enforce which client reaches which endpoint. Trade-offs between Koin vs Hilt, Navigation 3 vs classic Navigation Compose, and Result-based error handling are also discussed.