Maybe it's irrelevant but for JWT to be passed as a Bearer in the header Authentication header, it needs to be accessible from the browser?
Aren't httpOnly cookie safer in this regard? Or do we see set the JWT in the cookie too?
Some people advocate for a secure httpOnly session cookie for the client, letting the server hold onto the JWT and manage refresh. This gets you the benefit of server to server access via the token as well as the "session" concept and the warm fuzzy feeling of knowing the client doesn't hold the token.
