Your scope is wide and architecture could be diverse especially for an enterprise architecture. I would assume at least you have tiers / layers so we have the database layer (your database), application layer (laravel app) and presentation layer (react) all of them to be hosted on different server or nodes. Such an architecture would mean you expose application layer APIs that will be consumed by the client app. (React).
Now to the issues you have raised.
The most secure login IMO is OTP as it means an 4 or 6 digit code is sent to the user who has to submit it client side for validation server side. If you are paranoid enough about security and users can have gmail accounts then I would consider using gmail authentication into the apps - for reasons such as they have spend years thinking about security and I would therefore ride upon their leanings. They also have alerts when a strange device accesses the email account. If you however control all the user data - then phone number and an OTP that is sent to the users every time they login is secure enough.
On API authentication. - Every request has to be authenticated by a user specific time-bound token supplied in the login request body. Authorization should should also happen across the two layers - client side as well as server side. Ideally when a user logs in - part of response body should be the roles and permission matrix for the user. This can guide the client side implementation on what the user can see or do. Nevertheless the server side implementation should also run the check in its API gateway to validate that the user action is white-listed in the users roles and permission matrix.
