Based on my search on authenticating users using JWT, I’ve found that JWTs can be vulnerable to XSS attacks. I’ve read that one of the ways to prevent XSS attacks on JWT is to create two JWTs,
one for Refreshed token and another for Access token. These are generated on first login by the users and they are generated on the server and stored in HttpOnly cookies on the server.
Being cookies their expiration dates can be set. After their generation and storage, they are sent to the front-end to be stored in memory. In other words they are stored in variables on the front-end. Then these tokens are sent with each request to the server. If their expiration dates have been reached a new JWT is created, stored in HttpOnly cookies, and sent to the front-end to be stored in memory.