-Don't store JWTs in local storage: favor react state or an HTTP-only cookie

-Keep token payloads small

-Make sure you're using HTTPS

-Think about length of token lifespan: not too short, not too long

-The "app metadata" part of the Users section in the AUth0 dashboard is what allows us to set roles, etc