#Route with conditional auth + wrapping?

Looking at moving our codebase to tanstack-router, one thing I'm not entirely sure about:

We have a tree of routes that can either be public without auth, or with auth. The biggest change between the two is that with auth renders the route inside an app shell w/ navigation, profile, etc.

We were planning on putting most authed routes inside an /auth folder, but wasn't sure about this one. I guess it needs to be top level and handle the difference w/ its layout, but are there better patterns for this kind of thing?

Thanks!

Route with conditional auth + wrapping?

Create a _auth or (auth) route group folder and a route.tsx file there that can render the authed layout.

Check the auth status with beforeLoad

Similarly, everything else or a (guest) route group can have the unauthenticated layout