I have a simple Java app that use Eclipse JGit to pull remote repositories into the app to analyze and provide the user with code metric details on their projects. This app is supposed to be able to pull a repository at any time, so I would like to save the user's credentials in some way. Right now it's setup to accept a personal access token from the user's GitHub account. Is it safe to store this token using the Java Preferences API? That way the user could generate a token on their GitHub account, give it the proper access, and then enter that token into my app. This token would then be saved in the Preferences, and could be retrieved on startup so they don't need to enter it again.
Is their any danger to this, or is this alright since the token is being generated for the sole purpose of granting my app access to their repositories? I've also considered allowing for username and passwords to authenticate, but I assume that I would need to salt and hash those passwords before saving them, and since I can't decrypt that, there's no way to use the password in the JGit API without having the user enter their password again (which defeats the convenience of saving the password).
