...
Store refresh token in a cookie. Make sure to set HTTP-Only=true to prevent misuse.
Store access token and id token using one of the following methods where design allows:
Serverside (best option)
Local Storage (2nd best option)
Session Storage (be careful because these are cleared when tabs close)
Examining Contents Of JWT Tokens
JWT tokens are encrypted JSON objects comprised of a series of fields called “claims”. In order to see the contents of a JWT, use the decoder at https://jwt.io.