Handle authentication in a single place

Hello, currently, I have a REST API dedicated to a website with JWT authentication, so user login, token is saved on cookies and the server receives the cookie in every request checking if the token is valid. In this REST API I’ll call multiple microservices owned by me and I don’t want to create authentication in every one of them, so I was planning to use Kong for that. But if a user hit the microservice URL directly, it will not have authentication. What is the approach used to handle this? Have the microservices accepting requests only from the Kong URL with CORS?