Where Should You Store JWTs In The Browser
Question: How do I securely store JWTs on the client?
Answer: User JWTs, which are usually returned either as cookies or in JSON payloads in reponse to a successful login, are transient (they don't last forever) and are meant to be stored on the client. They are not meant to be kept secret, and are not dangerous to be on the client. They are simply used to identify the user. You don't need to obsfuscate or obscure them in any way since they will be clearly visible in the headers of any request the client makes to the server in the Network tab, usually in the Authorization
header where you see Bearer-Token: YOUR_JWT_HERE
.
You can, and probably should, store them in LocalStorage
on the client so that if the customer comes closes the window then comes back quickly they can pick up where they left off. Most auth services providers and libraries handle all of this automatically for you. So make sure those your library isn't already handling the LocalStorage
part for you before you go and do it yourself.
It's worth noting that JWT security varies between application types. There are low security applications where you only need to login every once in a while. There a medium security applications where you need to login more frequently, or in response to specific actions like changing your password. And there are high security applications where you need to login every at short regular intervals and the JWT is never persistently stored. The security of your application will determine how you handle JWTs.