I have a React.js web app that talks to a Golang REST API and I'm using AWS Cognito for authentication. It is all working but I am not confident that it is correct.

The web app provides username/password sign in using the AWS Amplify SDK, which returns an accessToken on successful login. I then set it as a cookie and use that in requests to the REST API.
The REST API authenticates the token using the AWS SDK and allows requests if the accessToken is verified.

I've read that storing the accessToken as a cookie is not safe but I don't know of another way around this offhand. I'm hoping encrypting it with some kind of public/private key approach will be good enough but I'm curious if there are any other obvious improvements that could be made.