-Don't store JWTs in local storage: favor react state or an HTTP-only cookie
-Keep token payloads small
-Make sure you're using HTTPS
-Think about length of token lifespan: not too short, not too long
-The "app metadata" part of the Users section in the AUth0 dashboard is what allows us to set roles, etc