A million options.
If the cookie session/jwt not httpOnly, just looking at her. May wish to look at it before the query and after, and then compare.
Can do from the backend response to authorization "OK" / "not okay".
On the basis of further responses from the backend to understand, authorized or not.
The main thing — never a focus in the browser on claimi JWT like nbf, exp, because the client can be shot down time so that khendsheyk will have TLS, and all your schema updates will break. For example, will be off by 6 minutes when the validity of the token is 5 minutes.