Hello, I am using the frontend token payload to store user role and I am using this payload to check for access role in the backend, how safe is this approach? I manipulated the frontend token to change the role but the backend still sees my correct, true role instead of the manipulated role. So I assume this is safe?

Hey @wdjzr . Yea.. essentially, the frontend stores the access token's in a separate token which is only read on the frontend. The backend reads the access token payload from the actual access token - which is httpOnly cookie (so frontend JS cannot read/ write it), and is also crypto signed so that someone cannot manipulate the contents of it manually either.

Super! Thank you so much