If certain routes (URLs/endpoints) in your application are only accessible to authenticated users, it is essential to protect them by verifying the user's authentication status. The approach for this may vary depending on the overall setup of your application.
It is important to note that the authentication check relies solely on the short-term session (represented as JWT). The method by which your application receives the short-term session (represented as JWT), either through a cookie or a HTTP authorization header (bearer token), depends on the requester. This will be further explained in the following sections.