In a single page app, all of the decisions about what view/subview to render occurs on the client and does not require a trip back to the server.

This means that the client has to be able to authenticate the currently logged in user and access its data without going back to the server which means it has to be stored locally.

JWTs are good because they allow for the client to be responsible for keeping track of the permissions of the currently logged in user.

However JWTs require a secret key to be decrypted which means it can't happen on the frontend with the same key that the server uses, say for its csrf protection

Because of this it's clear that we need to have unencrypted way of viewing the local authentication data for use by the application logic

Special care needs to be made to prevent someone interacting with the developers console to be able to change the local authentication data in order to gain access to restricted parts of the code by elevating their permissions

Closures to the rescue!

Create an anonymous function that is imported wherever the authentication information is used and returns the value given by the server on login.

If you wanted to add it to some kind of store that was accessible to the developer console (like redux), it's still okay to let redux) then we could not prevent  them from easily modifying the data. However, hope is not lost. We can let them  modify the data (which we couldn't prevent) if we had so long as we have  some way of preventing them from doing anything with invalidating  it afterwards.

In that case, we need some way of comparing it to a known valid state corresponding to the logged in user.