Where I get confused is storing the tokens securely. There's a lot of conflicting information online. I've come across many examples where they suggest localStorage which is a horrible idea.
A lot of the advice I see now is about http-only cookies but I think I'd probably look more into oAuth in the future.
The current best practice is to keep the token in memory only and store a refresh token in an HTTP-only cookie.
In my experience though, if you’re only doing web-based auth and don’t _need_ to use JWTs for a specific reason, just use regular session cookies, it’s way less hassle. Coordinating auth and refresh state across page refreshes and tabs is a pain, and using a refresh token means you’re using cookies and saved session state anyway, so you lose pretty much all of the unique benefits of using JWTs and still have all the downsides.
A lot of the advice I see now is about http-only cookies but I think I'd probably look more into oAuth in the future.