I\'ve got a SPA and a backend API served via Express.
Rather than protecting a route basing just on authentication state and scopes, I\'d like to, for example, let an
