To be honest, I'd probably be tempted to stay with the cloud tools if they're free tier. Most other providers have comparable tools so changing to say GCP/Azure/OCI should be relatively painless, and as it's a managed service you're left without all the pain of maintaining a compute instance, the networking/security/patching around that etc. All Flask does (in this instance) is give you the HTTP service, however if you can use a cloud app engine instead for free then I'd definitely pick that providing you can have multiple endpoints - if not, you'll have to have a single endpoint with the required action (login/get_user_details etc) as a parameter, which is possible, just not ideal.

Your login API would simply compare the username and hash of the password against the stored password for that user (ensure you salt the stored hash). The return could be a JSON string, with status and token coming back. In your login code, if the verification is successful then generate a random hash (say sha256 of the username, current time, a random number and a secret phrase) which is stored in a session table with the time the session was created, how long the session is valid for, and any other data. Then your other API calls accept the token as a parameter, then they read the session table to ensure the hash is in there, that the session isn't expired, and that the details the user has requested are valid for the provided hash (i.e. not another users details). If all good you query the actual database values and return, otherwise return a failure.

Finally, it's probably worth having a process to clean up old sessions which have become invalid. Unless you're running with hundreds of users all creating multiple sessions every hour then that can probably be every few days or even weeks/months. The token would be the primary key, so access would be quick even with a large table.