Hi Jasmo,
You are correct that the database would be a way to securely store the tokens.
Client variables are not encrypted, but they are not shared between different users, they are stored in the local storage of the browser for a given user. They are deleted upon logout. You can eventually take a look at the component Daniel shared or into the Web Crypto API if you really need encryption there.
Cheers,
Tiago Simões