As an everywhere:

All other APIs accept the session_id parameter, without it they answer 401, with an invalid session_id they answer 403.

Sessions are not eternal, N minutes after the last api-call are erased.

If the client suddenly receives 403, then he does not immediately shout about it to the user, but tries to re-login at least once.

make an authorization method. For example
Which takes parameters

{
 "login":"",
 "email":"", //необязательно но я использую
 "pass":""
}

And returns token

rb := make([]byte, 64)
_, err := rand.Read(rb)
if err != nil {
  log.Print(err)
}

var token string = `{
  "user_id":"",
  "name":"",
    ...,
  "salt": "`+base64.URLEncoding.EncodeToString(rb)+`",
   "expiries":"", //время жизни токена 
}`
encrypt_data := xxtea.Encrypt([]byte(token), []byte("Ваш ключ для шифровки токена"))
return base64.URLEncoding.EncodeToString(encrypt_data)

xxtea https://github.com/xxtea/xxtea-go
We send another token to all other methods.
You can still use standard sessions, but then the load on the server is large. And so everything is stored on the client side.

There is a good article on habré

Do I understand correctly that each time the API is accessed on the backend, it is necessary to check whether the user is authenticated or not.

That's right, it's a must.

How should it be done?

Depending on the authorization method. For example cookies, session.