Cookies is always de preferred way. It’s really the most secure of all. And easy one. But you can also use like localstorage to store tokens but it will require additional steps to extract it and use them to make the api calls.
— Thank you