I’m saving the JWT auth token client side from the onAuthorized() event but that lets people call my backend manually because they can just send a request using the saved token. How do I prevent that? Am I not supposed to save the token? Am I supposed to implement a means for my backend to prevent such calls?
Is the short answer.
You can put code in place to stop your JS logic making multiple calls. But people can just throw open chrome inspector and throw their own calls.
A Twitch extension also self reloads/generates a new auth, once per hour, which can create another call to your backend depending on how you program your JS Logic