It doesn't matter what you write on and how (PHP, rest / non-rest, etc.): the schema is the same everywhere.
1. The server creates a session identifier and always indicates it when responding to each client request.
2. The client uses this identifier (usually stored in browser cookies) for each subsequent request.
3. If the server responded with a NEW session ID, the client MUST use the new one.
token combines authorization and session using a hash operation.
1. After receiving the session ID from the server, the client sends hashed information based on the login, password and received ID.
2. The server checks and, if everything is correct, issues a token for subsequent requests.
3. To protect against restoring the hashing formula based on the same data, polymorphism is used: the random and timestamp parameters are added to the transmitted parameters.
4. To protect uniqueness - on the server side, a daily storage of all requests based on a token is provided.
1. Permanent - when it does not change with each request to the server.
2. One-time - when after each request to the server, the server issues a new token.

You probably wanted to say with ionic framework?
Electron for desktop.
You can look at react native or something else.
I do not quite understand what is the problem of control of rights? This should be handled by your API on the server (whether such a method is allowed or not). And on the client, it's enough just to store a token for requests.

bearer token.