I would do it slightly differently, I would send the rT in a cookie instead of sending it in the response , and in the frontend I resend this cookie on every request for protected route back to the backend and compare it's value with the original rT sent upon authentication which would be stored in the db, and maybe not storing the tokens in the local storage but rather in the memory.