Universal or server-side rendering composes a page before sending it to the client. At that point the user had no chance of submitting any credentials unless using cookies. JWT encourages using LocalStorage for storing the token instead of cookies, and I think this is a good practice.
I'm trying to set up SSR for an app that is similar to a blog. Users create content that can be public (anyone can find it and read it) or private (only the user and collaborators should be able to find it and read it). Handling public content on SSR is easy, but the private content requires a token stored in LocalStorage.
The best solution I could come up with is sending a stub, or maybe a loading page, from which the client can send the credentials to the server to retrieve the private content. The problem I see with this approach is a privacy one: showing a loading page or stub would give away that there is actually content on that URL, even if it resolves to a 404 because there were no credentials. Sending the stub/loading page for everything, public or private content, would defeat the purpose of server-side rendering.
So my question is, what are the best practices to handle rendering content that requires authentication without cookies? Any examples are welcome. Any framework would be ok, although I'm currently using Angular 5.