Note: refresh tokens are stored in an HttpOnly cookie; the access token is stored locally for API calls.
