prev <<
OAuth, RESTy APIs, Microservices, ...
>> next
Key point
Whoever has the token, can act as the user
You can pass the token to the JS frontend and directly call any backend that accepts the token
(you maybe have to fight with CORS, but that's still easier than fighting against cookies AND CORS)