Frontend authenticates in server using jwt token issued by another server

I have two servers and frontend client:

  1. one server authorize and authenticate user, after that issue jwt token to client.
  2. Frontend client also visits second backend server using jwt token as Authorization Header.
  3. JWT secret is the same on the both servers(encrypted by SH256).

Questions:

  1. Is there any alternative to keep token safer and prevent steeling it by 3rd party javascripts? http-only cookie doesn’t fit since client gets some data from jwt token
  2. Do you see some security drawbacks in existing flow?