Hi @chris_b
Thank you for reaching out to us!
Both architectures should prove sustainable, but taking an overall consideration of security, user experience and ease of implementation, I would recommend choosing the refresh token in local storage + rotation route. This would combine the ease of utilizing localstorage with the stateless nature of JWTs ( JSON Web Tokens ) and with a robust implementation would allow your application to handle access token/refresh token exchanges in a seamless manner, without compromising user experience.
Allow me to share some documentations that should assist with the implementation:
- Token Storage;
- Configure Refresh Token Rotation;
- How to Use Refresh Tokens in a SPA;
- How to get refresh tokens to work in Single Page Application (SPA) API.
An additional point for added security that we recommend for SPAs is the use of Authorization Code Flow with Proof Key for Code Exchange (PKCE), which offers the highest grade in securing applications and also runs with the use of refresh tokens, in case this suits your environment.
Hope this helped, do not hesitate to reach out to us for any other issues or requests!
Have a great one,
Gerald