Writing the API gateway for serious-business and Kittybox is a two-part job. I want that sweet, sweet React goodness but I can't leak my access token that can read arbitrary posts from my Micropub endpoint! so I have two layers:

1. On the top, there is the frontend. It calls to an API gateway via fetch() to receive data (and pass access control checks with cookies - they'll be signed)
2. API gateway has the token and, never revealing it to the client-side code, fetches posts from Kittybox.