Applications handle identities in the form of access and ID tokens. They need tokens to call APIs securely. In the case of Single Page Applications (SPAs), the browser stores the sensitive credentials that allow anyone to call an API, and a browser is a hostile environment, vulnerable to attacks. Typically tokens stored by the SPA are not protected by transport-layer encryption, leaving them susceptible to Cross-Site Scripting and Man-in-the-Browser attacks. The current best security practice for SPAs recommends keeping the tokens out of the browser altogether. In this talk, I will show how to achieve this with minimal effort to development teams by introducing a lightweight backend component called the Token Handler. I will describe the architecture of this solution, deployment scenarios, its impact on performance, and development complexity.