Secure Token and Storage Fundamentals in React Native

What is the primary reason access tokens should be kept in memory rather than persisted to disk in a React Native app?

Why is `expo-secure-store` preferred over `AsyncStorage` for storing refresh tokens?

In the access/refresh token pattern, why is the access token designed to be short-lived (e.g., 5-15 minutes)?

What problem does "refresh token rotation" specifically address?

Why shouldn't sensitive clinical/PHI data be persisted via `redux-persist` using its default storage engine in a healthcare RN app?

What is the purpose of adding a biometric re-confirmation step (e.g., Face ID) on top of an already-valid OAuth session when the app returns from background?

In the "single-flight" refresh pattern, what problem is being solved when multiple API calls receive a 401 simultaneously?

What is the main security benefit of sender-constrained tokens (e.g., via DPoP or mTLS client certificates) over a standard bearer refresh token?

Why is certificate pinning relevant to protecting tokens, even though tokens are already stored securely on-device?

If a refresh token is stolen by an attacker but rotation/reuse-detection somehow fails to catch it, which mechanism still bounds the potential damage?

Which library combination is most appropriate for implementing a PKCE-compliant OAuth/OIDC login flow in an Expo-managed React Native app, while avoiding an embedded login WebView?

You need to store a refresh token securely in an Expo-managed RN app. Which snippet correctly does this using `expo-secure-store`?

In an RTK Query setup, where is the correct place to implement the single-flight token-refresh-on-401 logic?

Which approach correctly implements certificate pinning for API calls handling PHI in a React Native app?

A teammate suggests storing both the access token and refresh token together in a single `expo-secure-store` entry as a JSON string to simplify the code. What's the main concern with this approach?