I’m all for replacing as much 3rd party libs with stdlib but it’s hard to look past the storing of the jwt in localStorage. Please don’t do that people. It’s very easily extracted through xss attacks.

A cookie is susceptible to both xss and CSRF. You ought to be protecting against xss anyway.