My api returns a token to the client on doing log in which in turns requires client to put it in header everytime to make request to server. Where should i save those token? If saved in browser storage then anyone can copy and login to client's account
You are right. It's not safe to store it in local storage.
The JWT needs to be stored inside an HttpOnly cookie, a special kind of cookie that's only sent in HTTP requests to the server, and it's never accessible (both for reading or writing) from JavaScript running in the browser.
You can read more about this on this article about JWT best practices. https://logrocket.com/blog/jwt-authentication-best-practices/