I am using nuxt app with express server routes, when I hit login or other api calls it shows in network. and apis are exposed .
I mean if some try it using postman he can get everything he wants.
so the question is > How to secure nuxt app (express routes , axios calls)?
is there any way for @nuxt/auth to not save jwt open in local storage?
There is no need to hide anything regarding the calls on the client-side. Because this is how a front-end framework works (your API routes are not supposed to be hidden either, no need for paranoia).
If you want to provide something secure, you can indeed have a JWT authentication that will be send as a header for all of your axios calls.
More info can be found here. A good thing to know is that it's not likely that somebody will hack your client's browser to get the JWT from their cookies (safer than localStorage) but if you feel like it's a HUGE possibility, bring down the expiration of the token to 1 minute.
Then, you could bring a refresh token alongside your access token to be sure that it's refreshed without asking the user to go through a login page another time.
PS: Some reading on your favorite search engine will be mandatory to understand all the concepts on how to implement a well done JWT flow with your client side app.
