@User Thanks for explaining. Yes it's surprising that such a basic functionality is still not implemented by the dart team. So regardless if one uses access token only or access & refresh tokens (this is probably more work for no additional benefit when in localstorage, correct?) the problem remains that it is open for csrf, right?