API

Where can I read about different API implementations for SPA?

Hello.
Advise where you can read about the details of the implementation of the API?
In particular (I understand that all this is individual, but perhaps there are different solutions somewhere) there are such questions:
1. Suppose, when an authorization token is transmitted with each request, I see at least three approaches.
a)
first GET /session (we check if the token is rotten)
then, if everything is fine, then GET /users/:user_id, where we get the user data,
everyone likes this approach, like everything is "feng shui"
b) the same, but
I don't know why GET /current_user , but I like it less :)
c) immediately, in the response to /session we get all the necessary data (user data, selected locale, some settings, whatever)
also, it seems, a good option :)
2. On many sites I saw that there is a request for the current user rights. Accordingly, a list of what the user can do is returned. I also want to read about the generally accepted implementations of this approach.
Thanks in advance.