Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for secure client-side key storage for authentication tracking. Implementations include actions of determining, at a browser executed on a client-side computing device, that an application is authentic, the application being executed on a server-side computing device, in response to determining that the application is authentic, receiving a session signing key (SSK) at a sub-domain of an application domain, the sub-domain including a static script that handles the SSK and that selectively provides request signatures, receiving, at the sub-domain, a message requesting a request signature, determining that the message originated from an authentic origin, and in response to determining that the message originated from an authentic origin, providing a request signature to a source of the message, the request signature being based on the SSK.