Hi @benjamin203!
That’s correct!
Yes - Typically SPAs are public clients only (no backend) and thus tokens would be stored in the browser. This opens up the app to security vulnerabilities.
I shared some more info in this post of yours, hopefully that helps as well!