I wrote some script to load the admin bundle js and style on my site after getting the JWT. Looks like this:

    async loadBundle(){
        if (this.loaded){
            return;
        }

        const [style, bundle] = await Promise.all([
            fetch("/styleAdmin", {
                method: "GET",
                headers: {
                    "Authorization": "Bearer "+this.token,
                    "Cache-Control": "no-store"
                }
            }),
            fetch("/bundleAdmin", {
                method: "GET",
                headers: {
                    "Authorization": "Bearer "+this.token,
                    "Cache-Control": "no-store"
                }
            })
        ]);
        if (style.status !== 200 || bundle.status !== 200){
            throw new Error('Loading error.');
        }
        const [css, js] = await Promise.all([style.text(), bundle.text()]);
        this.loaded = true;
        const styleTag = document.createElement("style");
        styleTag.innerHTML = css;
        const scriptTag = document.createElement("script");
        scriptTag.innerHTML = js;
        document.head.appendChild(styleTag);
        document.head.appendChild(scriptTag);
    }

The bundle contains a window.main method I call after loading it and pass the token to it. So the authorization part is totally public, but the admin content is reachable only with valid JWT.

I am not proud of this code. I mean somehow it does not feel right, but since I don't have server side session and session cookie I am not sure how to solve this with JWT.

Another server side thing here, that I want to serve static files with CloudFlare from AWS S3 and I am not sure how to validate JWT there.