it is possible. The easiest method would be to:
- Enable JWT feature in sessions.
- Send the JWT to your APIs for verification, and those APIs then verify the JWT using the JWKs endpoint exposed by our backend SDK.
- Session refreshing, login, sign out would still happen via just one of the API endpoints (whichever you choose). But make sure that that API endpoint shares the same base domain as the website domain, else browsers like safari will not allow sending cookies.