@ch4mp thanks for the answer and the article. While the gateway approach is a bit of an overkill for my scenario (I have a single frontend application), it pushed me to the right direction. I now have a proxy controller that intercepts each browser call, get the JWT token from the session, and forwards the call with JWT token to stateless REST endpoints