Casting Socialite google_refresh_token

[obayesshelton]

Hi everyone,

I am currently building a platform heavily reliant on the YouTube Data API. We are storing refresh_tokens to perform background jobs.

I know standard advice is "encrypt everything," but I am trying to determine the modern "Best Practice" for Laravel 12 applications running on managed infrastructure (where the DB volume is already encrypted).

My specific question: Is it recommended to add the encrypted cast to the User model in addition to DB encryption?

protected $casts = [
    'google_refresh_token' => 'encrypted',
];

What is the consensus here?

[dxnter]

I would consider it a best practice against a different threat model (database breaches, leaked backups, SQL injection, compromised DB credentials).

Refresh tokens are particularly sensitive, and application-level encryption has minimal overhead.