The Token Handler Pattern provides security hardening for SPAs: https://curity.io/blog/token-handler-the-single-page-applications-new-bff/