the classical approach, together with a request to give data that uniquely identifies the user (the login password is not transmitted with each request, because this is a potential opportunity to eavesdrop on this data, well, there is a performance problem, you will have to check the user database for each request, which is very expensive)
usually for identifying the user, the service creates a special "key" at the entrance (which the user keeps and transfers to the service with each request).
Previously, sessions were actively used for these purposes, which the server stored in its memory and verified the entered data with these sessions - but there are many problems with scalability and performance, so now the so-called "tokens" are actively used
data about the user is encrypted in such a token, upon receipt of the token, the server decrypts the data located there, does not check it with anything and DOES NOT STORE, this decrypted data specifically indicates whether the user has access rights or not.
these tokens can be passed to the server in the request as a parameter:
http://site.ru/data.json?token=your_token
but this method is considered bad because tokens remain in the browser history for example (well, get requests cut off the length of a possible link)
most passing tokens in the request header is considered a suitable way.
For more information about tokens, I advise you to look here: https://jwt.io/introduction/

Well, by default, the browser won't let you make an ajax request from another domain to your server unless the server sends a special header that allows cross-domain ajax requests. That is, in the simplest case, you can limit yourself to checking on the server for the fact that it was an ajax request that came to you, this is far from 100% protection, but it will limit most unwanted requests. Another csrf token is a good option

Try customjson
https://marketplace.1c-bitrix.ru/solutions/ru51a4....