Confusion about session persistence with API driven "SPA" site. JWT? OAuth? Just session setting?

Hey all,

About to start a project with a friend and want to divide the app cleanly between front and backend, I'll be creating an API to provide all relevant data but this is a site that will be user-driven.

I've been reading about authentication and APIs and I'm unsure how we should tackle the fact that we want users to be able to have a traditional session whilst all data will be returned via various endpoints.

So, User A will 'log in' via an endpoint and then hit a page that will request all of User A's posts and display them.

My first impression is that /api/login accept an email and password and attempts to auth returning failed or the session (and remember) cookie. The front end sets it and passes it on subsequent requests which the API can check, or is this all wrong?

Appreciate your advice.