Authentication in a third-party API, which would then be used for token-based requests within custom widgets for the ArcGIS Experience Builder

I have developed a custom widget for the ArcGIS Experience Builder that is tasked with making requests to my own API. This API is designed to return specific data from our system. For this purpose, the widget needs to internally perform the requests and consume the data returned by the API. However, a key challenge in this process is authentication: it is necessary to obtain an access token through login credentials (username and password) to authenticate the requests to the API. This access token will ensure that only authorized users can access and retrieve the necessary data from our system.

How can I implement a secure authentication solution for third-party APIs in custom widgets developed for the ArcGIS Experience Builder, ensuring the use of tokens for API requests? Specifically, I'm looking for best practices on managing and refreshing tokens, securely storing credentials, and handling token-based authentication within the widgets, considering the architecture and capabilities of the Experience Builder platform.


PS: I have gone through the 'Shared Authentication' section in the ArcGIS Experience Builder documentation (https://doc.arcgis.com/en/experience-builder/latest/configure-widgets/embed-widget.htm), but I'm still unclear on how to effectively implement a secure authentication solution for third-party APIs.