> I can extract the cookies from the headers, but would have to set them manually on each subsequent request We have interceptors that would do that for you. > So there is the issue with persistence, saving it in shared_preferences would result in the refresh token being saved to local storage. Yes. But unlike the browser, the risk of token theft via XSS is very low on mobile apps.