but is it safe to save it without httpOnly? Or save to localStorage ?

not safe, both of it.

use at least next-auth, it uses secure+httponly cookie.

ideally lucia-auth with valid sessions.
but in your case at least start with next-auth.

It's an old project that is migrating to Next 14, maybe I'll have to go with NextAuth.

For now I'm using Route Handlers, where I call the Next API on the client, and the Route Handlers are in charge of getting the token and making the request. This is bad ?

it's just not safe, of course if your client site isn't some big company that attacked often then it's not the most critical thing, but it's better to make it at least somewhat secure

We have our own backend, the API Handler calls our backend. She is like a BFF between the Frontend and the Backend.

but non-secure part here is client side, with simple cookie and localstorage. authorized client can be hijacked relatively easy.

Do you have any repository to recommend with best practices for authentication with Next 14?

as I said you should use at least next-auth.
with your custom backend probably lucia-auth more beneficial, but it more complex.
I think you probably can find examples from both solutions in their githubs.

thank you very much