Extensions often need to store something — settings, tokens, user data. The easy path is to dump it in localStorage and move on, but extensions handle sensitive data and run in a shared browser, so where and how you store matters more than in a normal web app.
Use chrome.storage
chrome.storage is the extension-native option: accessible from the background worker and popup, able to sync across the user’s devices if you want, and the correct home for extension data. Plain localStorage is tied to a single context and isn’t the right tool here.
Never ship secrets you don’t have to
The biggest mistake is bundling an API key inside the extension. Anyone can unpack an extension and read its code, so a bundled key is a public key. If your extension talks to a paid API, route those calls through your own backend that holds the key — don’t embed it.
Treat user tokens carefully: scope them tightly and expire them, because a token that lives forever in storage is a standing risk if the device is compromised. And request the minimum permissions — every permission is attack surface and a reason for users and reviewers to distrust the extension.
Store data in chrome.storage, keep real secrets on your server, scope and expire tokens, and ask for as little access as possible.