How to store JWT and Refresh Tokens in a app or a browser?

Question

I build a Rest-API which handle request by using JWT and refresh token. But i am not sure how to store it on client side.

Should I store both it in cookies with httponly flag?

Should i store both in cookies or one in local storage for example shared preference(Android App)?

I am very interested in what is the best practice to handle these token on client side?

Answer 1

Standard recommendations:

• In a mobile UI store tokens in OS secure storage
• In a Web UI store the access token in memory
• In a Web UI refresh tokens in cookies work best

It requires a lot of discipline to do properly. My blog has posts and code samples you can run to understand this stuff. Maybe start here:

• Browser Token Security
• Android Code Sample