I am trying to learn Backend/Frontend development and one of my challenges so far has been to understand JWT authentication. But the more I research this topic the more confused I get. I have seen that storing the JWT token on the frontend's localstorage is a bad thing and I should be doing it via HttpOnly cookies. However for me to use the token on frontend I would need to access it from the cookie, which I can't because it's HttpOnly, so I figured I would just make calls to the backend while having the cookie and the backend would send the data back already authorized, however I was then told that the token should be passed in the authentication header and not in the cookie. So I wanted to ask, what is the correct way to handle this situation? Do I query the backend with the cookie, get the token back, store the token in memory then quary the backend again for data using the token in the authentication header? This sounds a bit counter productive, no? I really want to learn this topic and learn what is the correct way to secure the login.

@Mark This cleared up some confusion/myths for me: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ I think the "Prevents CSRF" section might be relevant to your concerns about where to store the jwt. Also, this is pretty off-topic for a kotlin slack lol.

You send the token fdom the backend to the frontend The frontend stores it in a cookie or a store like veux or redux or local storage - whatever works for the frontend framework Then the token is sent in the authorization header as a bearer token to the backend

I highly recommend checking this: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/. Although the title says "(graphql)", most of it can be applied to REST APIs too

Thank you! That article is a great help! And apologies if this is a bit off-topic, this community is very helpful so thought I'd give it a try.