@User yes that works too. But it's not as full proof since depending on the method of token theft, the attacker can also likely send of the victim's browser fingerprint to themselves, and inject that into malicious requests. The backend won't know about this and will happily accept it!