Store the Token into the server session instead of a JS local variable.
You could use localstoage, but a server session works fine for this, and you never send the access token to the front end as you use express sessions to handle security instead.
Personally I use express-session to handle my express sessions.
Taking a server generated access token and pushing it out to the “JS Frontend” to utilise is a tad overkill here and kinda defeats the purpose of generating the token on the server in the first place.