He can see all your requests in DevTools -> Network, with headers and responses. What is the question?

I would advise starting from the following concept:
1. Your front should be responsible only for visualization - all sensitive data is given back and returned there. You should really not care that your js can be parsed, without authorization there is no point. Also, if you want to cover up some super-unique code on the front - collectors with obfuscation, other garbage))
2. Authorization can be done according to the jwt token scheme with the release of a short-lived token, which is used to sign requests in the back, to it a refresh token for updating. Tokens can be stored in the localstore so that browser unloading does not lose the authorization state. There should be plenty of examples on the Internet. You choose the lifetime of tokens according to your taste.

Actually I don't like it either. I solved this issue quite simply. A separate authorization page, and already AFTER successful authorization, the SPA is loaded. Here they write like what is the problem? Well, no one canceled DDOS. Authorization can go through one server, and work with the API through another. In order to close the api from the outside world.

hiding endpoints:
- impossible
- in terms of security, you will not get anything
by loading hidden data for authorization through a jwt token. This will be enough