It's very hard to tell you every step you need to make to create a secure app, so nextjs itself listed a guide on how to set up authentication best pratices and a detailed walk though auth. You can see it here: https://nextjs.org/docs/app/building-your-application/authentication

The important part for you begins at 2.

Or as little overview here[:](https://nextjs.org/_next/image?url=%2Fdocs%2Fdark%2Fauthentication-overview.png&w=1920&q=75)

basically u fetch your external api in your route handler and set your jwt as a httpOnly cookie from your route handler using cookies()

Keeping your external api on the server strips out the need for proper authentication since u can easily protect your api with a password

your external one

@Acacia-ants solved?