This is really a nice article🫡. I was hoping to see refresh token as one of the countermeasures. The use of refresh token This way you give the access token a short lifespan and give the refresh token a longer expiry time and maybe when the access token needs to be refreshed you also update the refresh token. The refresh token can be encrypted as you stated in the article. I love the relatable analogies you used.