Thank you for your response!
Jeroen Nyckees

What do you mean by completely secure SPA? It’s a static site that you can host on AWS or any CDN meaning that no matter what a user will be able to access those files.

That being said, a user will NOT have access to your API. They can load the /account page, but that doesn’t mean they will see any info.

Does that make sense?