1) Token-based authentication provides means for authentication based on requirements. It allows you to transfer claims over HTTP requests and verify that claims come from a trusted source by performing a signature verification.
You must protect your API with JWT tokens . In your API, you check for the JWT token in the incoming request headers, and if it exists, you use the token handler package to decode the token in ClaimsPrincipal.
Once you have a director, you can apply any authorization rules that you like to your API endpoints using the standard filter attributes
2) The web API must be inactive, you must remove the use of the session from the API level.
What you need to consider ...
i) How does the user uniquely identify with your system? Do you have a user id 'user id' or some other id? (AuthN)
ii) Once you can uniquely identify someone, how do you decide which resources can access the identity (AuthZ)
Do you absolutely need to download all permissions from the database when a user logs in or only those permissions that allow you to uniquely identify your login?
You can create a JWT token with a set of requirements that will allow you to pass the token in API requests, so you no longer need to store data on the server, since the authn \ authz information is now part of the HTTP request.
Good design is needed here. There is too much information in the JWT token, each request to your API will have a large payload. Not enough information, your API will have to go and get any additional data needed to make authorization decisions. You will need to decide which balance is right.
Check out Identity Server on Github . It has some useful demo projects and good links to common authentication topics.