Help understanding getSession and SSR/CSR

I’m using Next.js 13.4.19, and the latest auth0-nextjs package from auth0, noting the recent App Router is considered stable blog article from Auth0.

I wondered if someone more familiar with Next/auth0 could explain this auth0 example of a profile page:

This looks like an SSR page, but uses getSession to obtain the logged in user’s session.

Now, I thought this wasn’t possible due to the appSession cookie being needed to be sent by the browser.

So then I assume when requesting a page, server side or not, the browser’s cookies are available to this SSR page. If that’s correct, I understand this.

Now, what if we want to call an external API using the auth0 access token. We’ll need to grab that from the session. What if we use the proxy pattern, i.e. first call an App Router, like shown in this example:

Here, getSession is used again. How does it get the session cookie?

When I was trying this, the withApiAuthRequired returns a 401, and examining the code, this is due to the cookie not being available.

So then I found this final example of a page that uses the above API:

And note it’s a client side component, presumably so that the appSession cookie is passed to the API.

So am I right in saying that a SSR page CAN access getSession, but a fetch API call on that SSR page CANNOT call an app router API route which itself uses getSession as the cookie is not transferred in this way and only a client side page can do this?