I think that will be a highly opinionated answer.
If your API is consumed by third party applications, using cookies is not an option (well, it is, but you don’t want to make the lif of other devs harder.)
If your API is consumed only by your own front-end, you can go with whatever unorthodox method you want. If you otherwise use the local or session storage, even that is fine. It can even be a global(ish) variable in the application.
You may want to take a look at riot.im or vector.im, it may give you some ideas.