Start with a backend-backed session. Your refresh token stays in a cookie; the access token stays client-side.