From 5af093a0cced0c0759152787c74e5afdb248561b Mon Sep 17 00:00:00 2001
From: Sanchit Mehta <sanchit.mehta@okta.com>
Date: Fri, 12 Jun 2026 16:26:05 +0530
Subject: [PATCH 1/2] docs(ios-swift): add CredentialsManager callout in Step 5

---
 main/docs/quickstart/native/ios-swift.mdx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/main/docs/quickstart/native/ios-swift.mdx b/main/docs/quickstart/native/ios-swift.mdx
index 838cce54d8..9a8ffbf228 100644
--- a/main/docs/quickstart/native/ios-swift.mdx
+++ b/main/docs/quickstart/native/ios-swift.mdx
@@ -163,7 +163,11 @@ Your AI assistant will automatically create your Auth0 application, fetch creden
   </Step>
   
   <Step title="Create the Authentication Service" stepNumber={5}>
-    Create `AuthenticationService.swift`:
+    Create `AuthenticationService.swift` to handle login, logout, and token storage.
+
+    <Info>
+      **Use `CredentialsManager` for token storage.** The `CredentialsManager` class securely stores credentials in the Keychain and automatically refreshes expired access tokens. Always use it — do not store tokens in memory, `UserDefaults`, or `localStorage`.
+    </Info>
 
     1. Right-click your project → **New File...** → **Swift File**
     2. Name it `AuthenticationService`

From 9167b582ddf3acdb6e221aefcb7cb6eba1f82a9d Mon Sep 17 00:00:00 2001
From: Sanchit Mehta <sanchit.mehta@okta.com>
Date: Sat, 13 Jun 2026 01:48:29 +0530
Subject: [PATCH 2/2] adding warning for not using raw values and use plist
 based approach

---
 main/docs/quickstart/native/ios-swift.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/main/docs/quickstart/native/ios-swift.mdx b/main/docs/quickstart/native/ios-swift.mdx
index 9a8ffbf228..993d5afde6 100644
--- a/main/docs/quickstart/native/ios-swift.mdx
+++ b/main/docs/quickstart/native/ios-swift.mdx
@@ -374,6 +374,10 @@ This is **required** for certain features to work properly:
 <Accordion title="Advanced Integration">
 ### Programmatic Configuration
 
+<Warning>
+Never hardcode `clientId` or `domain` values directly in Swift source files — they will be committed to version control. Read them from environment variables or a build-time configuration file at runtime. For most apps, prefer `Auth0.plist` (the default approach in this quickstart).
+</Warning>
+
 Instead of using `Auth0.plist`, you can pass credentials directly in your code. This is useful when credentials need to be dynamic or environment-specific (e.g., different Auth0 tenants for dev/staging/production).
 
 **Replace `Auth0.webAuth()` calls with `Auth0.webAuth(clientId:domain:)`:**