Is using/storing id tokens in the browser considered save now?

Question

Looking at the firebase documentation it seems it is simply possible for the client side javascript to obtain the odic id token via getIdToken.A few years ago this was considered unsave and instead sessions should be used an the session Id should be replaced by the JWT token on the server side.I'm wondering what is the current best practice?

compressedgas · Accepted Answer

The documentation states that the ID returned by getIdToken is a JWT token.https://firebase.google.com/docs/reference/js/v8/firebase.Us...https://firebase.google.com/docs/auth/admin/verify-id-tokens