If you want the user to store the keys, the solution (i.e., non-custodial) needs to be client side and use Javascript.
If you want to store the keys for the users, then it really depends on the security model you are considering. Amongst many other questions, you may need to consider what happens if your server gets compromised. If it stores a kmd token, the adversary may just steal all the Algos of all the users.
See also Could I implement an ASA with it's own custom wallet? - #2 by fabrice