I think it might be better to get rexrainbow to encrypt the key in the plug, or at least allow users to set what the key is at runtime which we can in turn encrypt/ decrypt ourselves via some other plug.
But you need to make a post in his thread about the plug, otherwise he may not see this.
It's not like he's not super busy with other stuff.
Finally reply is working.
Thanks but using gumshoe method is doing just fine for me.
The only thing that bothering me now is rex authentication plugin doesn't work on mobile webview. I still haven't found the solution yet but I my assumption is it has something to do with in app deeplinks (or universal links). I'm still solving the problem.