I think the best answer is definitely to use JWT. I primarily have built APIs during my time using Laravel and every time we use JWT and isn't so bad to implement. With JWT you'll have better security and more flexibility IMO.
I found a decent guide online and briefed over it and I think it is pretty accurate for getting lumen properly configured with JWT. https://laravelista.com/json-web-token-authentication-for-lumen/... but maybe you should try the wiki for the package first (https://github.com/tymondesigns/jwt-auth/wiki). I remember my first time implementing I thought it would be to complicated, but it ended up being relatively easy and I found help on here.
It's really nice because once it is setup you can just use jwt.auth middleware and you can automatically protect your routes and make sure people are authenticated.
It's also nice because you can use the facade to do things like JWTAuth::getUser() etc to grab the user on the routes that go through your middleware etc.
If you have trouble configuring it you can post on here and there are plenty of people with experience setting it up since it is very popular for APIs.
