[zacksinclair]

Why not store short lived token in a cookie as well?

[poxrud]

Because then you can be vulnerable to csrf attack. For example if someone tricks you into clicking www.mysite.com/api/delete-account

[anaxag0ras]

CSRF attacks can be prevented using same-site policy with cookies.

[poxrud]

That is true but it will not protect against all forms of CSRF, for example you'll be vulnerable if you have user generated content that's not sanitized properly. On the refresh_token cookie I have sameSite and httpOnly set.