Single Page App - Validate Access Token

I’ve failed move my rules to actions as recommended, and in trying to fix that up, I realise need to go back to basics.

My current implementation may be overly complicated, and I’ve downloaded the sample app for a Single Page Application to re-assess, however, either the access token is not actually being sent and validated, or it’s far from clear where that magic happens!

The nav-bar component calls this.auth.loginWithRedirect();

But where is the access token saved?

The external-api component calls$() but where is the access token sent in the headers?

The api-server get handler confirms “Your access token was successfully validated”, but this is skeleton code surely? No validation actually took place?

That seems obvious however - are there any hidden interceptors that injected the access token into headers and is there the equivalent of middleware somewhere that would have rejected the get request if the access-token was not valid?

If there are no interceptors, I guess my original solution is valid and not over complex after all!

Am I missing the validation “magic” in the sample app?