You should focus more on verifying JWT tokens on the server side, as there’s no more secure way than letting clients store their own tokens. However, storing access tokens in cookies on the client side exposes them to XSS attacks. A better approach is:

For Web (React): Store the access token in memory and the refresh token in an HTTP-only, Secure cookie. For Mobile (Flutter): Store both tokens in secure storage (Keychain/Keystore) since cookies aren’t supported. Also, implement token blacklisting and cache invalidated tokens to prevent unauthorized reuse. Always use short-lived access tokens and verify them on every request.