[solitus]

Localstorage is prone to XSS.

You can split the JWT to have parts stored in cookie and another in localstorage. Stich the two together on the server.

[jfgiogktkt]

What's the advantage over storing it just in the cookie then, since you need to look at it anyway, and since the localstorage storage half is useless on it's own (thus not useful from JS)?

[hmsimha]

You're limited in how much data you can store in a cookie

[solitus]

Your front-end probably does not need to know about the signature which is the part you leave in an HTTP only cookie.