Secure call

Hi there, Once use authenticated using react app via forgerock login journeys through sdk, the front end receives code and then the token exhcanged using code at frontend Bakcend(nodeJS).Then after receiving the id_token,access_token and refresh_token at nodejs. Not sure what is the recommened way of sending this token back to the client(react)? Because front end needs authenticated user claims(such as fristname,lastname,email and etc) and they also need access_token to further communicate with the frontEndbackend api’s all the way to API gateway where core api’s protected using access_token of forgrock. My ask is how to handle this tokens securly. Pls guide here.I was thinking to send id_token to share with front end after authentication and for futher api requests(such as payments,billing,etc protected by api gateway) , react makes calls using id_token thorugh Bearer tokenr and where i mapped intially this id_token with the access_token and refresh-token and stored at local storage of the node.js (my backend). pls advice.

This tutorial shows how this can be done Build a protected web app with React :: SDKs