But this JWT should never be accessible from the frontend. Cause it can be stolen via XSS attacks.