Identities are encrypted with a session token and stored in the browser. This keeps the SDK stateless—you can log in on multiple devices without a backend.