If you run a ReST-style web API, It can be a bit tricky to decide which authentication mechanism is right for your scenario. Even more so if you need to support multiple different types of clients. Plain tokens? JWT? Session cookies? OAuth2? What about CORS? Do you neec CSRF protection?
Over at Aymeric Augustin's blog, there is a nice article about this. It focuses on Django and React, but it does a good job at explaining the technical background and the trade-offs involved.