## Credential handling

Amplify Swift library securely handles credentials and user identity information. You do not need to store, refresh, or delete credentials yourself. Instead, Amplify Swift library handles these operations using platform capabilities such as [`ASWebAuthenticationSession`](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) for web-based OAuth flows, and [Keychain Services](https://developer.apple.com/documentation/security/keychain_services/) for storing and retrieving sensitive information. Only the host app (or defined app group) can access values that Amplify Swift library stores, and Amplify Swift library also clears credentials if it detects a configuration change such as a new Cognito UserPool or Cognito Identity Pool.

You can retrieve stored credentials by invoking [`fetchAuthSession` API](https://docs.amplify.aws/lib/auth/access_credentials/q/platform/ios/), which is the same API that other Amplify Swift library categories use to retrieve credentials for making calls to backend services like AWS AppSync, Amazon Pinpoint, and Amazon Simple Storage Service (Amazon S3). That API validates stored credentials and returns them if valid. If the credentials are not valid, Amplify Swift library will use the stored refresh token to refresh the credentials and return them. If the refresh token is not valid, Amplify Swift library will return a session expired error.