For SPAs such as with Angular, you should make use of checkSession() or getTokenSilently (depending whether you’re using the old JS SDK or the new Auth0 SPA JS) and the silent authentication approach, because it’s not safe to store access token in the browser.
Also relevant, as Jim pointed out above: