I'm working on authentication for a Next.js 14 app that uses a separate API server.

### 🔹 Current setup:
1. The login API returns a JWT token via Set-Cookie (HttpOnly) and JSON response.
2. Future API requests need this token, but since it's stored in an HttpOnly cookie, the browser can't access it directly.
3. We're considering two approaches:
- Using API Routes or Server Actions to retrieve the token and forward API requests.
- Letting the browser request the API directly (but this means changing the cookie settings).

### 🔍 Concerns:
- Using API Routes or Server Actions is expected to generate additional traffic on the Next.js server.
Does this actually introduce significant traffic overhead? Has anyone measured the impact?
- Direct API requests would require relaxing HttpOnly security.

### ❓ What’s the best approach in this case?
- Should we keep the HttpOnly setting and use Server Actions/API Routes?
- Or is it better to allow client-side access to the token for direct API requests?
- Any best practices or alternative solutions?

Would appreciate any insights! 🙏