I need some clarity with the situation below.

I have my API ready.
Let's say I have a route /reset/token,
I want to be able to serve a html file with css and all that once I've processed the token internally.

I've not worked with the whole stack before so I've never really served files based on conditions i.e if the token is valid serve x else serve y.html

Also, I'm pretty sure node.js isn't the best for serving files.

So I'm taking another approach with nginx which is to implement /reset/token to serve the static file with it's coupled js file to query the API. Seems standard to me but I have this feeling that a prefilled html would be more secure than one with exposed js.

Is this the right way? Should I worry about my API calls being exposed via the js fil ? Is obfuscation the only way to handle this ? Is this the way everyone does it cause somehow I don't see the key js files in most sites. How are they hidden if so? Or are they?

I'm confused and also nginx won't let me rewrite /reset/token to something else without changing the browser url field. How do I prevent that ?