Couldn’t you do something like JWT except allow the client to slap on their credentials to any initial request?

From the backend side that means that if there is no valid token, you can check the request body for the credentials. If they’re not there, then it’s an unauthorized request.

You’re eliminating a singular request in a long period of time at the cost of adding complexity to both client and backend but if the customer wants to be silly that’s their fault