[tracker1]

1. you can still use a cookie if you really want to, or have it in your application state in memory for PWA, though a browser refresh will kill it.

2. Same for any authentication header or token

3. I'm not sure I see the problem

4. See 3, don't do it, use shorter lived tokens with a refresh if necessary.

5, see 4

6. Again, you could still use cookies, and longer lived, or state/revokation backed store... I don't do many SSR in practice, mostly PWA

7. That is absolutely an option... usually, I forward back with the token on the hash, then the first thing the app does is use the history api to pull it out and remove it from visibility... it does appear for a brief moment, but like anything else, you'd see it in devtools anyway.