Key point
- Whoever has the token, can act as the user
- You can pass the token to the JS frontend and directly call any backend that accepts the token
- (you maybe have to fight with CORS, but that's still easier than fighting against cookies AND CORS)
- You can store the token in some backend and have it call another backend
- You can store the token in a commandline script / desktop app