How do you handle session management after OAuth login? I'm building a small side project and just implemented Google OAuth for login. It works fine but now I'm stuck on what to do after the OAuth handshake. Right now I'm generating a JWT on my backend and sending it back to the frontend to store in localStorage. Then I attach it to every API request. This feels standard but I keep reading that localStorage is vulnerable to XSS. Some people say use httpOnly cookies instead but then how do you handle mobile or if your frontend is on a different domain? I'm just one developer and I don't want to overengineer this but I also don't want to ship something insecure. My app doesn't handle anything super sensitive like banking or medical data. It's basically a todo list with some sharing features. Is JWT in localStorage fine for this use case or should I go through the trouble of setting up a proper cookie based session? Also what about refresh tokens? Do I really need them for a simple app?…