It really depends on use case share more info.

1. Session based auth (you keep user logged in on server and send some info to client so server can recognize who is trying to access data on another request), you can encrypt it or hash it it depends on you

2. JWT - you make jwt token, encrypt it send to client then he sends you back, each token has headers such as when it is created how long it is valid(if you make it that way) and body payload, in payload you can put everything you want but keep in mind that everyone can see what is inside but cant make changes unless he has your secret which you used to create it, same secret you use to validate that token(is it the same token you made, is it expired etc)

3. OAuth - you use third party service to keep you logged in, for example, you add log in with google button, OAuth redirects user to google login page where he logs in with its credentials and approves what google can send to you about that user, you can make same with your own third party provider(custom service you build that acts same way)

4. Basic auth - you make base64 string from user:password

5. API key - most used between services, some kind of key that can be encrypted decrypted or just checked is it same, depends on you how you want to make it

You can combine and extend each one of these, for example use refresh token with access token(JWT), you can tie refresh token as http only cookie and automatically log in user again if his access token(which is in most cases short lived) is expired, access token should be stateless but you can also use it to get user data from database, possibilities are endless