I disagree on the security concerns with LS and JWT. As others have said, you will have a much larger concern if an attacker can inject JS into your site. Proper use of JWT is implementing expirary and sensible authorization after one has authenticated.
Deferring to the Auth0 docs, they recommend LS or cookies for storage.
I'm very familiar with Auth0 and have a lot of friends there. That being said: the recommend incorrect things all the time.
Nobody is perfect, especially not security companies! We get things wrong all the time ^
Deferring to Auth0 is a great call here.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.