Storing a JWT in a cookie means the browser will automatically send it on every request to your API — including requests triggered by a malicious third-party site.

This makes your app vulnerable to CSRF attacks.

A CSRF token fixes this because:

the JWT cookie is auto-sent by the browser (attacker can trigger this)

the CSRF token must be sent manually by your frontend (attacker cannot send this)

So the server verifies:

JWT cookie → “this is the user’s browser”

CSRF token → “this request came from our frontend, not another site”

If the attacker triggers a request, the JWT cookie is sent, but the CSRF token is missing, so the request is rejected.

CSRF tokens do NOT protect against stolen JWTs, but they do protect against the browser being tricked into sending authenticated requests.

Since you are using SameSite=None (cross-site cookies), CSRF protection is required.