Hello, I am creating my first web app. I created 2 projects for the application using Vue.JS on frontend and Php laravel.

I have successfully created authentication using vue.js to php laravel 7 using sanctum's api token for authentication, however, I do have some question regarding api token.

The token is saved on localStorage so that it can survive a page refresh. Is there more a secure way of keeping the api token secure? and is it recommended to keep the api token until the user logouts? I am new to the web stack but i'm very keen on learning the vue.js + laravel web stack.

Also, how do we preven token hijacking? because it looks like i can just copy my api token from the browser and use it on postman application, it's okay for me to do it, but how do we prevent other people from doing it on my web app?