FThe more secure way is certainly to store the token on a server side "proxy" which changes the access_token into a cookie.
In the end it depends on your security needs, for example we store the acces_token for our console in the session storage and protect our SPA with a CSP to increase the security.
In the end it depends on your security needs, for example we store the acces_token for our console in the session storage and protect our SPA with a CSP to increase the security.