I’m pretty sure this is true for a “true” SPA too eg. Angular, react, VueJS etc. (Wappler seems to be using the Pjax/Turbolinks technique). So in a regular SPA, you’d get a token from the REST API, store it in a cookie or local storage and send that token with each request to the REST API. The user could leave the page open while the token expires, the “page” will still be interactive, but any requests to the REST API will be invalid. In this scenario, the SPA would then redirect to the login route.
I haven’t tested this in Wappler, but if the session has expired, does it not throw an error that you can catch and in there redirect them to the login route?