Web Api Authorization, without ready-made solutions?

Hello, I want to make an API on ASP.net Core and I want to ask a couple of questions about authorization in the API.
The api is not done yet, I just want to plan and draw everything in my head.
Let's imagine there is a database of users with a login and password and some other rubbish.
The controller has an Auth(string login, string pass) method that will return a response to us in which, upon successful login, there will be a token that we will continue to use simply by attaching it to the next requests in the Header.
The token is registered in the Tokens table with the user id and the receiving IP. That is, our token is the key to performing actions from the user, but only from the same IP.
There is a controller with data and other actions, they have an authorization attribute that just checks for the presence of this token in the Header, if not, it does not skip and returns an error, otherwise everything works according to its scenario.
It seems the idea is simple and I do not see "holes" for hacking here.
1) It seems to me that in each request to the API it will take a long time to check the validity of the IP - Token (request to the database) and the answers will be more than half a second, how can you decide or do they do it?
2) Everywhere I read about this topic they write: "Do not write yourself, there will be a lot of holes! Use ready-made solutions. (Owin, etc.)"
Are there holes in my model?
3) If I make a site (Web application) that will access the API (as I understand it, like a regular client - HTTP requests), then in theory my site will be one of the users who uses the Token and holds it in the Header, will it be visible in the web debugger? from which IP will requests go, server or user? I mean those ones will not be in the site controllers, but Ajax.