I am implementing my own authentication, I return an access token that is stored in the client side local storage , and a refresh token that is returned via http-only cookie
