The Security part of your API is not something that belongs to API Platform itself. Instead, the framework lets you rely on the Symfony Security integration, including Symfony's built-in authenticators and community bundles that build on top of it.
Stateful VS stateless, Cookies VS Headers, Standard protocols VS home-made authentication flows... There's a lot of alternatives, which can make it very hard to find the right one.
In this talk we will review all these possibilities to see how you should secure your API depending on your application and infrastructure. Last but not least, we will discover a novelty that will help solving this issue.