@glenn.davies Thank you very much for your response about ACG with PKCE.
After user authentication / consent, the client then receives a single-use authorization code from the authorization server which it then presents back to the authorization server along with the verifier from which the challenge was derived. This second request is made direct to the authorization server. In an SPA, this is done with Javascript and, thus, CORS must be configured correctly on the authorization server. This can be done in Auth0 on the client configuration page.
This solved my initial question / provided a solution. Since we can get new access tokens from the logged in session, there is no need to store the access token.
@dan.woda still, it would be interesting to know what auth0 means by “handling tokens server side”