How does google-api-js-client (gapi) restore sign in state across sessions and refreshes

It's very nice that the gapi api is able to keep a user signed in but I would like to understand how it does it.

In the developer docs it states that

Then, if the user has already signed in, the GoogleAuth object restores the user's sign-in state from the previous session.

The only way I know of doing this is by using a refresh token which is insecure if stored on the client.

How does the gapi-api acheive this?

I would refer to the sources, but I don't think they are open.

Solution

it calls the OAuth endpoint with prompt=none in a hidden iframe. You're right that the libs are closed source, which is great reason to not use them. It's not difficult to write your own OAuth implementation.

How to Sync Google Calendar Events Using Push Notifications?
Stuck on openAuthSessionAsync - How to Close Browser After Successful Google OAuth Login?
Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
OAuth 2.0 Single Client Configuration for Web and Mobile Applications
Creating JWT in Coldfusion for google Service account
How to use Google Oauth2.0 to authenticate user via Telegram Bot
Error in oAuth2 Google APIs - invalid_request "You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy"
How to fix Constant Errors When Implementing Google OAuth Sign-in with Django
Google Cloud calendar API connection error
Google Apps Script attempting to utilize OAuthScopes is giving an error with no details and prevents saving
Is a Client Secret Required for Google OAuth 2.0 using the PKCE Authorization Flow? Should I Expose the Client Secret Publicly?
Google Login integration Error: 401. Error: deleted_client The OAuth client was deleted. What is the solution here?
Import "google.oauth2.credentials" could not be resolved Visual Studio Code
Value of type 'GIDSignIn' has no member 'clientID'
SMTP with google xoauth2 results in error {"status":"400","schemes":"Bearer","scope":"https://mail.google.com/"}
Google OAuth 2.0 authentication not working in React app: what am I doing wrong?
Laravel 11.x Google Authentication using Socialite: Target Class [google.auth] Does Not Exist
Firebase Google Auth Youtube Redirect API Call
How to test Google's OAuth granular consent screen
Is there a way to setup Airflow 2 with Google OAuth2 authentication
Swagger support for Google authentication in ASP.NET Core
I get this error:- Error 400: redirect_uri_mismatch even after I registered the URI in Google Gmail API OAuth 2.0
Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'
How do I fix a "CSRF Warning! State not equal in request and response." error when trying to log in with Google using FastAPI?
Relationship between Google Identity Services - Sign In with Google and User Authorization for Google APIs
Download Google Drive file with PHP Symfony
How to Limit YouTube OAuth Partner Scope to One CMS
I am able to change and retrieve the "response_type" from "code" to "token" in Google OAuth 2.0 request
Error 400: invalid_request for iOS google Sign in
Google third app (testing) keeps dropping connection with google account