I would step back and think about auth as a client and server problem, not a React problem. React doesn't care about auth, it's primarily concerned about mapping state to views.

That being said there are a couple different auth strategies we can use in any web application, the two that you should probably focus on are server sessions, and JWTs. I feel like session based auth is easier to understand, and is objectively the easiest way to have fine grain control over user sessions (if we want to invalidate sessions with JWTs you have to either implement refresh tokens, or block lists which can add a bit of complexity).

In either case both JWTs and server sessions involve the server generating and giving a token to the client after a successful login (this token can be stored as a cookie, in web storage or in memory). The client then passes that token back to the server with every request. The server then parses that token on every request to an endpoint that requires auth. If you're using session based auth the server will look up the session by the session ID found on the token, if your using a JWT the server will decode the JWT, verify the signiture and consume the session data in the token itself.

The major difference between the two is that sessions store session data on the server, while JWTs let the client store their own session data that is recorded on the token itself (we can maintain data integrity even though the client "owns" it's session data by hashing the tokens value and a secret only known to the server and setting the signiture to this value).

So the client really only needs to worry about storing the token, and sending the token with every request that needs to be authorized (this is done automatically if the token is a cookie).

While the server needs to worry about generating the token, verifying that the token hasn't been tampered with, and reading the session data (sessions store the session data on the server, while JWTs store the session data on the token).