Yes, but I see a lot of implementations where the token is sent to JavaScript and is stored there.
It's best to store it as secure cookie (HttpOnly) so JavaScript cannot access it.