you don’t need to decrypt))
you just need to compare with the same pair on the server through the code ... 1. you pass username and hash
(key - DO NOT SEND!)
by what came.
3. equal - AUTH OK.

The user sends you his username/password.
You generate a random token using it, put it in the database, and send it to the user.
For complete happiness, it’s good to do all the work with api through https, in this case, without serious preparation, no one will steal this token.
It seems to me that in 99% of cases this is quite enough.
An alternative solution is not to use a token, but to use in each request a hash generated based on the request data and the user's password (while the password itself is not transmitted)
conditionally something like

$hash = md5($password . "method=users&rand=23084723984623947&limit=10");
$url = 'http://api.site.ru/users?rand=23084723984623947&limit=10&'.$hash;

Even if the request is scropromised, the maximum that can be done is to repeat it.
Taking into account the fact that with certain methods of generating rand, we can say that rand must be unique for the user, for example, for a month, we get a fairly reliable history.
And yes, this is a bicycle, unfortunately I don’t know what it’s called correctly, I think others will tell you :)

And what prevents stealing cookies, because they, like a token, are sent by the browser to the server every time.
IMHO, if it comes to the point that they steal a token from the user, then this is already his problem.
If you issue a token when logging in, let him re-login in such a situation and get a new token.