It looks like your token is in the format of a JWT, or "JSON Web Token."
First of all, a caveat: it's super dangerous to expose JWTs through an API like this. It's far preferable to keep JWTs transfering around via secure, HTTP-only cookies. If a bad player acquires this JWT token, they can perform tasks on behalf of the user.
That being said, if you insist on exposing the user's token to the browser, know that JWTs can be decoded to expose their payload. The JWT you posted here has this payload:
{
"account": [
{
"dateCreation": "2019-10-24T10:32:30.730Z",
"resetpasswordtoken": null,
"resetpasswordexpires": null,
"role": "admin",
"enable": true,
"_id": "5db17f863faf3f1154479ee6",
"email": "saaraaaachemlal@gmail.com",
"password": "$2b$10$lFIJJAPWReZgC/MjDhbnHecS7FowwA9TSjLNTfUwQXJPvX0NhCMwu",
"tickets": [],
"gains": [],
"__v": 0,
"nom": "ACHEMLAL_",
"prenom": "MERYEM_",
"tel": "0619562721"
}
],
"iat": 1572043952
}
You can read the account.role property to decide what to do in your application. See the JWT spec for more details about how to parse the JWT, or there may be a library available to do it for you.
Again, I'd caution you to never return the JWT in the API. You could always just expose it without the signing bits to make it unusable as an auth token (split it on the . characters and return the payload segment); then on the client side you only have to base64-decode the string. Or perhaps your API could do that decoding for you.