My favorite way to handle API authentication (on frontend, in microservice architectures):
- Using JWTs, microservices validate access tokens
- Access Token, expires after 10 min, stored in memory and sent in Header on API requests
- Refresh Token, http-only cookie used to renew access tokens
First time I heard read about this: The Ultimate Guide to handling JWTs on frontend clients