JWT-based auth is well understood, but failure modes repeat: leaking role checks only to the UI, ambiguous 401 vs 403 handling, and drift between what the SPA thinks a user can do and what the API allows.
Our default is to treat the backend as the source of truth for RBAC and to mirror capability checks in the UI only for UX–not for security. Guards in Nest or Laravel run the same rules the client uses for hiding buttons.
Across React and Vue We standardize hooks or composables: current user, role claims, and “can(permission)” helpers fed by a typed contract from OpenAPI or a shared schema so teams do not invent parallel enums.
That consistency is what keeps multi-team products maintainable: one story for auth from login to audit logs, whether the surface is Vue 3 or React 18.
