It is strange that this hasn't been a part of Strapi from the beginning. How do people protect a route on the server without having access to a cookie?

For anyone interested n this topic. There is a plugin for this but today it lacks support for GraphQL https://github.com/bwyx/strapi-jwt-cookies

+1 Cookies Authentication + Including support against CSFR-attacks with a separate CSFR token.

I would like this as well. JWT tokens in localStorage is often touted as a big no-no, having built-in support for cookies in Strapi would be great.

Cookies Authentication