Almost a year has passed, but still)
I am doing this now. the user logs in, we create a session for him, the session key is in cookies. Together with him in the cookie, the token encrypted with the crypt function is put into the database. the session is over - decrypt the token and check. OK - we issue a new ses key, it doesn't fit - get out)

Store the hash of the username and password. and send it to the server after 401 or for authorization.

I wonder what kind of thoughts they came up with when they came up with a thing with ApiKey that is generated 1 time during registration?
The password and login are not stored on the client, everything is correct. ApiKey is yours, too.
Look at how authorization is implemented in complex systems, because they have a session token everywhere. I recommend you use it too.
The scheme is as follows: on the server, somewhere, store user tokens. The token has a session end time. like a couple of days.
On each request, pass this token and extend the session time by the current time + your session expiration time. If you passed an outdated token, write suspicious data to the log.
It turns out such a situation. The user is active - you can log in only once.
The user comes in once a week, so if you please log in. The token itself should be stored on the device and it is desirable to encrypt it.
Use HTTPS, but you can also think of something like that. The encryption key is your ApiKey which knows the device and knows the server. In this case, when transmitted over the network, it is incomprehensible.

API KEY, which is generated during registration, you can not set an expiration date at all, just a token that is always valid, the only thing you can write is a function to change this token, well, if users want to.