Well, generally speaking, REST implies statelessness - each request must contain information that identifies the user (basic, digest auth). Those. your client application EACH TIME inserts authentication data (login/password) into the request header, and the application "lifts" the user from the database using this data and returns the result / denies access depending on the role.
The second option is to use token-based authentication/authorization (see OAuth, JWT (JSON Web Tokens))
The third option is to use cookies, and this may be justified in your case. If both clients work for you on the same domain / subdomain, then with a cookie everything will turn out quite simply