OAuth in single-page apps: redirects, CORS, and token storage

Public clients cannot hold a client secret. PKCE prevents authorization code interception on mobile and desktop browsers.

After the redirect, your SPA exchanges the code at the token endpoint—those XHR/fetch calls are subject to CORS.

Memory-only tokens vanish on refresh; localStorage survives but widens XSS blast radius. HttpOnly cookies shift risk to CSRF protections.

Pick a threat model before choosing storage; combine with short lifetimes and refresh rotation.