Why Your React App Should Never Touch an Access Token
Your React app stores access tokens in localStorage. A compromised npm package reads them. Game over. Granit.Bff moves token handling to the server, so the browser only sees an HttpOnly cookie it cannot read.