You leave the token in localStorage. When someone tries to use it, you
check it’s creation time in your database, if it is too old, or came
from the wrong IP address or wrong user, or wrong anything else, you
don’t use it.
If you remember the "creation time" in the browser, that
can be hacked as well.
Your token should be completely random characters, generated by
your server program.
JΛ̊KE