In my last question a user explained to me that it is considered a security risk if the FE has direct access to the access token and that using a backend-for-frontend is considered safer. Now I am using firebase in my project for authentication and read that firebase stores the token in local storage: Firebase Authentication: Where is the token stored in web?