# Store JWT authentication token in localStorage - Status: accepted - Date: 2026-04-26 ## Context and Problem Statement The application requires persistent authentication across browser sessions. Where should the JWT token be stored client-side? ## Decision Drivers - Application is internal — used by a known, controlled user base; not publicly accessible. - Implementation simplicity. - Compatibility with Angular functional guards and the APP_INITIALIZER auth bootstrap. ## Considered Options - Store JWT in localStorage - Store JWT in an httpOnly cookie ## Decision Outcome Chosen option: "Store JWT in localStorage", because the application is internal with a controlled user base, making the XSS risk acceptable, and localStorage avoids the additional CSRF complexity of cookie-based auth. ### Positive Consequences - Simple implementation — no server-side session management. - Token persists across browser restarts without requiring re-login. - Works seamlessly with Angular functional guards and `APP_INITIALIZER`. ### Negative Consequences - Accessible to JavaScript — an XSS attack could exfiltrate the token. - If the application ever becomes publicly accessible or handles sensitive data, this decision must be revisited. ## Pros and Cons of the Options ### Store JWT in localStorage - Good, because simple to implement and operate. - Good, because survives browser restarts. - Bad, because XSS-vulnerable. ### Store JWT in an httpOnly cookie - Good, because inaccessible to JavaScript — XSS-safe. - Bad, because requires CSRF protection (SameSite cookie policy or CSRF tokens). - Bad, because more complex server-side coordination.