This guide shows how to use Azure API Management to implement a stateless architecture, for a JavaScript single-page application, that doesn't store tokens in the browser session. Doing so helps to protect access tokens from cross-site scripting (XSS) attacks and keep malicious code from running in the browser.
https://learn.microsoft.com/en-us/azure/architecture/web-apps/guides/security/secure-single-page-application-authorization
