How does Laravel Session works on user guests in api routes?

Typically an API (laravel or not) doesn't involve sessions - they use tokens. Laravel's API routes don't use sessions.

You can see (and change) the enabled middleware for each group (web/api) in the /app/Http/Kernel.php file. By default the api middleware only uses the throttle and bindings middlewares.

Are your api routes in the ap.phpi route file or the web.php file?

So, what is the approach when making a cart functionality for user and guest clients? Wouldn't it be with session?

My API routes are in api.php route file.

Besides wanting to have the functionality mentioned above, I want my api routes to be properly protected and to understand how does the API knows which Cart to issue to which user/guest...

I don't know your specific use case. Do you have an API so that other sites/apps can make requests, or is this only for internal use (only your site uses it)? Typically you'd use something like Passport to consume the API and deal with tokens/state. https://laravel.com/docs/5.8/passport

If this is only for internal use, I generally wouldn't use an api. It adds more complexity. I'd just use regular web routes and return json or whatever the front end needed for those requests.

Typically I only use API's when I need to process external requests from outside my domain, not people who are logged in via the regular web based auth.

I need for both external and internal use.

Yes, I am trying to wrap my head around passport to protect my API routes. Do you have any resource more beginner friendly than the documentation?