Hey bl4ck! Tokens should be stored in cookies not local storage (as local storage is vulnerable to XSS). While storing tokens in cookies, anti CSRF measures should be put in place. SuperTokens does this automatically by storing an anti csrf token in local storage. We're writing a blog post on using local storage vs cookies to store tokens and that will explore this question in more detail. It should be out in ~2 weeks. Hope this helps!