Django

How to implement user access rights to the API?

Hello!
I have a django site. He solves some business problem. At some point, it was necessary to add more functionality to the site, but on the basis of a ready-made one, and then more. As a result, this django application handles several site domains that have the same business logic, but different user functionality.
Now we need to add a few more domains with possible different functionality. There was an idea to separate the common logic into a separate service, so that it would be easier (as it seems) to bind a new domain with its functionality to the business logic.
The site also has an API mainly for working with business logic, with different levels of accessibility for users of the site / sites based on groups.
Actually, the question is, how is it architecturally correct to single out a separate service?
I have these options:
- In the main application, the API Gateway to the service will be implemented and it will check the access rights to the service
- The service should receive information about the user's authentication and his access level from the application, but I have little idea how to implement this and confuses what is possible with each request he will have to request access level from the application.
Thanks in advance!