My API allows users to upload and download files to my Azure Storage account. To do this, they need a SAS token with permissions based on if they want to download or upload a file. I was wondering if there was a secure method to provide users with these tokens, other than sending it through more unsecure methods such as email.
Edit for Clarification:
I plan on having hundreds of users accessing my Azure Storage account. I was planning on generating my token through Azure itself but I have been considering generating the SAS token inside of the API or in a separate Azure Function. My API uses an Azure Function with NodeJS.
Proposal 1: You can create a new Azure function as a proxy on your storage account for uploading/downloading. Thanks to managed identity, you won't have to provide a SAS token. User authorization on the Azure Function will ensure that the permission is removed when the user is no longer authorized.
Proposal 2: You can create a SAS token with an Azure Function and send it to the user inside your application (can be transparent to the user). This will enable you to create a SAS token with a short lifetime. If communication between clients and server uses TLS, it will guarantee secure transmission of your token.