- After successful authentication add access token and refresh token to http only cookie - Auth middleware should first check token in cookie, if not then in the auth header
