Amplify Cognito Auth JS Library keeps all tokens in localStorage?

Question

Recently started building a SPA. I'm using the [official AWS stand-alone Amplify javascript library for Auth](https://github.com/aws-amplify/amplify-js?tab=readme-ov-file#features). After deploying my SPA and logging in, I noticed that all of my tokens are persisted in local storage in the browser.

For example:

|key|
|---|
|CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.accessToken|
|CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.refreshToken|
|CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.idToken|

I'm fairly new to the frontend auth, but everything I've read has claimed that this is poor security. For example:

[auth0.com: Using browser local storage](https://auth0.com/docs/secure/security-guidance/data-security/token-storage#browser-local-storage-scenarios)

[Here’s Why Storing JWT in Local Storage is a Disastrous Mistake](https://medium.com/kanlanc/heres-why-storing-jwt-in-local-storage-is-a-great-mistake-df01dad90f9e)

[Best Practices for Storing Access Tokens in the Browser ](https://thenewstack.io/best-practices-for-storing-access-tokens-in-the-browser/)

Is this something that AWS is failing to account for?

Accepted Answer

You can use a custom storage adapter and use cookies for instance:

https://docs.amplify.aws/react/build-a-backend/auth/manage-user-session/#update-your-token-saving-mechanism

key
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.accessToken
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.refreshToken
CognitoIdentityServiceProvider.1k90vt58oc1v7kfme68th8kdf0.myuser.idToken

Amplify Cognito Auth JS Library keeps all tokens in localStorage?

Relevant content