API calls are stateless hence the REST methodology.
Meaning you have to pass in some identifier along with the call, for example, if the admin is making API call you would pass admin-api token along as Bearer header.
If you do not care about keeping it light you can always load sessions middleware with API. For example, you can add any middlewares here or at the router level.
However, i would rather suggest you use token packages such as JWT Auth provides you with some nice functionality and keeps your apis REST.
In the end, it all depends on what for do you need your API and who is going to be accessing it?