1) It is not necessary to use the built-in sessions in general anywhere and never.
In api, you can use your own tokens, describe the process of receiving and transferring them in the api documentation.
2) Read the documentation of any api of a large project: fb, https://developers.facebook.com/tools/explorer/?me... twitter https://dev.twitter.com/rest/public etc
Anyway (oauth , its own authorization, something else) the client receives an access token which is then explicitly transferred.
3) If you need all this history for authorization / differentiation of rights - ok.
But if you want to store some states on the server for each session, think carefully about how necessary it is. Working with the stateless api is much more pleasant and understandable.

What for?
When you need something unusual, always describe not only your difficulties, but also the original problem.
Most likely you want something unnecessary

Cookies + sessions. All modern frameworks are able to work with various session data stores: database, files, memcache (IMHO, for sessions, that's it). BUT it is not necessary to save all the user information in the session, it is not intended for this. You can store the user ID and other keys in the session in order to easily pull out the necessary data from the database at the right time. If there is a lot of data and it does not change every time a user requests it, then you can cache the data, for example, in a memcache, while the data of users who have not visited the service for a long time should be replaced by the data of users who have just visited the service.

If I understand the question correctly, it is enough for the client to add the ability to work with cookies