JWTs are also flexible. They can be stored in a secure, samesite, httponly cookie so as to mitigate XSS. This is done when the token is used for auth; you could also split the JWT to give the js only the payload and not the signature. (But also, if this is a concern for your use case, maybe JWTs are not for you - someone else said in this thread JWTs shine in the back end when APIs call other APIs).
In general though I would agree, most of the time people just pass the token to the client and then JS has access to it until it expires. And every http request they just tack that token in the authorization header as a bearer token.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
JWTs are also flexible. They can be stored in a secure, samesite, httponly cookie so as to mitigate XSS. This is done when the token is used for auth; you could also split the JWT to give the js only the payload and not the signature. (But also, if this is a concern for your use case, maybe JWTs are not for you - someone else said in this thread JWTs shine in the back end when APIs call other APIs).
In general though I would agree, most of the time people just pass the token to the client and then JS has access to it until it expires. And every http request they just tack that token in the authorization header as a bearer token.