I can go to this site, GitHub and a few other sites and not have to login. It knows who I am - because of Token Based Authentication. In a Rails API only app you can implement this by adding a gem (‘jwt’) and follow the instructions. Rails API apps are not a MVC apps, but a MC apps. There are no views, it just sends JSON and the JS backend that does the views (I think!). Since a SPA controls the HEAD, it somehow works because it sets the HEAD Authorization header.
In a normal Rails app you can’t add that header. It’s controlled by views/layouts and is the same (replaced?) every time.
In the latest version of Turbo I see some changes that you can have custom headers. Will someone who know 90% more about Turbo/JS every add a Token Based capability to PlainOldRail?