JWT is a form of user identification that is issued after the initial user authentication takes place. After authentication, the Rest API issues the client app an access token and a refresh token. An access token has a shorter life span for example 5- 15 minutes. However, a refresh token is given a longer duration for example hours, a day or even days. While no security measures are perfect, we do want to consider the risks of cross-site scripting and CS request forgery. The access token is sent as JSON data to the client. To avoid the previously mentioned risks, it is recommended for frontend applications to store the access token in memory so they will be automatically lost when the app is closed. Access tokens should not be stored in local storage or cookies. Essentially, if you can store it somewhere with JAVASCRIPT, a hacker can also retrieve it with JAVASCRIPT. Just keep the access tokens in memory which you may also refer to, the current application state. The rest API should issue the refresh token as a httpOnly cookie which can not be accessed by frontend JAVASCRIPT. Refresh tokens do need to have an expiration which would then require users to log in again. Refresh tokens should not have the ability to issue new refresh tokens because that would lead to indefinite access if the refresh token falls into the wrong hands.