Securing mixed SSR + API server

Hi. I would like your suggestions for configuring a dual app which will consist of a back end and a front end.

I am moving from pure SPA+API approach to one where the HTML of initial page load will be server-sider rendered for performance and SEO reasons.

Currently, I’ve been using JWT tokens with auth0.js lib.

What do I do next? Can I keep the API and dynamic requests in pages but also transparently have the user authenticated when they are requesting the pages from the browser?

If you switch to web-server app model, then you can redirect your unauthenticated user (when they try to hit a protected page) to the login page and then return back to your backend an authZ code, which it can exchange for token(s). After verifying the tokens your backend can generate a page with the required content and establish a cookie with a session or a token, depending if your API is hosted on the same server or on a different one.