1. To begin with, you don't need to bother with SSR - let the rendering always come from the fact that the user is not authorized. Everything else can be loaded on the client if necessary.

What kind of authentication is needed

- a rather strange question, since it's up to you depending on what the conditions of the task are :) Assuming that you need to find out what options there are, I can say that in general there are 2 of them - a standard history for sites with cookies and sessions or receiving token and further authorization on it, that is, a standard history for any REST API.
2. If you mean stateless authorization on the client via OAuth, then there is a wonderful library for this. If you do not want to pull such a big dependence, then you can implement it yourself - everything is quite simple there. I can be more specific if you're interested. On the backend, you can take a ready-made solution, of which there are a lot for any language / framework / CMS.
3. There are no particular subtleties. Got a session token or cookie and that's it. Then everything depends on what exactly needs to be implemented.
Everything related to the email confirmation process is backend, so everything is standard here, and SSR does not change anything. Again, there are tons of ready-made solutions for any platform. OAuth can also be completely given to the backend, but here you need to understand that then you will not be able to use this backend for the stateless API.