I understand that the best practices are to use Auth0 Single Page App SDK and not store tokens in local storage. I am currently trying to understand how secure auth0-spa-js is but I can not find any information on the architecture for that library. Internally, how does auth0-spa-js store both access…

Yes, that applies in the same way for this grant type, if the client is a SPA. It’s also the grant type that the auth0-spa-js uses.

npatel September 12, 2019, 9:50am 6

did you set the audience correctly? that should enable JWT access_token instead of a string access token.
Can you also check what is getting sent in headers

1 Like

Auth0/auth0-spa-js Access token refresh?

How does auth0-spa-js store tokens