Angular

How to implement AngularJs + Rails Api authentication?

Hello!
We have such an information system architecture:

It consists of a Rails API-only application that is accessed by a web client, as well as a group of Browser based clients that communicate with the API through an Angular application, which they periodically update from a third-party server. Access to this group of clients is available only once, then they must work independently of the system administrator. It is necessary to implement authentication (for example, through a token) so that each such client has access only to its own information. The token cannot be pre-registered, because the Angular application is periodically updated from its server, and what to do if you need to change it. So far, the solution is seen only through a bunch of "very long session + cookies", but I would like to get a stateless system. I can not understand, the task is really non-trivial,
Hence the following questions:
1. How best to solve the problem?
2. How can such an architecture be improved?
3. Can Rails API-only app and Rails web app be combined to allow native Rails methods to bypass the API? Or is it preferable to implement a good API separately and continue to work only through it?
4. Which jam should be chosen for assigning roles to users?
I express my gratitude to all participants in the discussion!