We have to not use refresh token, and we have to not store tokens at browser side. isn't it?

Hello, I want to develop authentication with jwt without session.
But I have question.

following this post, if token is saved at your browser, it is unsafe due to XSS attack.

So we can not save refresh token at client side, isn’t it?
I wonder why many jwt posts recommend the refresh / access token policy.

Thanks.

What type of application is it? An SPA (Single Page Application, such as Angular, Vue, React) or a Regular Web App with a backend?

Please see my direct reply here (in case it is an SPA):

which is about a similar question.

In a SPA, you don’t use a refresh token. Also for the access token, you should only hold it in memory, not store it in local storage. That applies to SPAs. See:

I wonder why many jwt posts recommend the refresh / access token policy.

It’s for regular web applications with backends, not SPAs.