So just as an idea on how I would do it if i could not use sessions. also, i’m guessing here that you mean the server side sessions.
Have a key that needs to be present in the request to authenticate each request, without this key nothing can be done/executed. And getting this key could be gotten by an endpoint which takes username and password to return this key. Which is also kept in a db for x amount of time(which you purge after set x time), so you can use it to compare it with the key from the requests made, if it is present you continue the request and if not you stop it.
Basically you create your own session handler but utilizing your DB and your API endpoints and some db scripts to purge sessions.
FYI: This is just a basic idea that quickly came to me and there is zero risk assessments made on it, I have the benefit that my work it contained within a domain, so i don’t have to worry about external factors and only internal, which makes it a bit easier:)