I use cookies, see step 2. You can write and read the JWT in the cookies, you don't need to use it as a bearer token. But you can also read it from the cookie and add it as a bearer token for API requests if you prefer. Is this working for you?

As I understand this might not always work. E.g. if the server is hosted at a different domain, I assumed this is what @Florian is asking about.

Here you want to redirect to your SPA after auth. You can add the JWT at a parameter to the redirect (myspa.com&token=xyz) and then handle this in the SPA.

Let me know if that makes sense, I can try to clarify this in the article as well.