TokenCachePersistenceOptions Class

Options for persistent token caching.

Most credentials accept an instance of this class to configure persistent token caching. The default values configure a credential to use a cache shared with Microsoft developer tools and SharedTokenCacheCredential. To isolate a credential's data from other applications, specify a name for the cache.

By default, the cache is encrypted with the current platform's user data protection API, and will raise an error when this is not available. To configure the cache to fall back to an unencrypted file instead of raising an error, specify allow_unencrypted_storage=True.


The cache contains authentication secrets. If the cache is not encrypted, protecting it is the

application's responsibility. A breach of its contents will fully compromise accounts.



TokenCachePersistenceOptions(*, allow_unencrypted_storage: bool = False, name: str = 'msal.cache', **kwargs: Any)

Keyword-Only Parameters

Name Description

prefix name of the cache, used to isolate its data from other applications. Defaults to the name of the cache shared by Microsoft dev tools and SharedTokenCacheCredential. Additional strings may be appended to the name for further isolation.

default value: msal.cache

whether the cache should fall back to storing its data in plain text when encryption isn't possible. False by default. Setting this to True does not disable encryption. The cache will always try to encrypt its data.


Configuring a credential for persistent caching

   cache_options = TokenCachePersistenceOptions()
   credential = InteractiveBrowserCredential(cache_persistence_options=cache_options)

   # specify a cache name to isolate the cache from other applications

   # configure the cache to fall back to unencrypted storage when encryption isn't available