I just had a look at api terms and there is a section with heading You (and your App) may not access, store or share private user content or passwords.
So the question is: are we not allowed to access or store tokens/refresh token? Also are we not allowed to save user tasks in our db?
Thanks for raising this. We are actually in the midst of revising and clarifying our Asana API terms so these will all be updated in the near future. Our API and product constantly evolves and the current API terms were written in 2015 hence the need for an update. The quoted heading was intended to refer to data such as user login credentials and we will definitely be making this clearer in our new set of terms.