Pattern for API token auth: store long-lived refresh tokens in cookies rather than localStorage/sessionStorage. Cookies have 25+ years of browser support, are first-party, are controlled by the server (not the front end), and with HttpOnly are invisible to JavaScript — drastically reducing leak risk. Set Secure so they only travel over HTTPS (important on browsers without HSTS), SameSite=Strict so they're only sent to the API, and scope path/domain to the refresh and login endpoints. Works well with mobile apps including Ionic (which follows browser CORS rules, so the front end must send credentials:'include' and CORS must be configured accordingly). Tokens themselves should be treated as passwords: hashed in DB, expired, quantity-limited.