Create a middleware that checks if user is logged in. Then apply that middleware on each routes that requires protection.

// server/middlewares/auth.js
import jwt from "jsonwebtoken";
import * as config from "../config.js";

export const requireSignin = (req, res, next) => {
  // console.log("__REQ_HEADERS__", req.headers);
  try {
    const decoded = jwt.verify(req.headers.authorization, config.JWT_SECRET);
    // console.log("DECODED => ", decoded);
    req.user = decoded;
    next();
  } catch (err) {
    return res.status(401).json({ error: "Invalid or expired token" });
  }
};

Now apply requireSignin middleware in any routes you want to protect.

// routes/auth
import { requireSignin } from "../middlewares/auth.js";

router.get("/", requireSignin, auth.hello);

Now ‘/api‘ is only accessible if you send the token in req.headers