How should a JWT refresh token best be stored in-browser in a codebase that’s shared between a web application and a Capacitor-built iOS & Android application?