Third Party SSO Strategy?

I have a XANO function preforming a third part SSO via rest endpoints.
In the end I end up with a lot of pieces of data including a 'Session Token'.

How can I keep XANO apis secure?
Should I put the session token in the 'extra' part of the regular Auth Token?
Should I put the session token in the $http_headers and check against that with each request?

I'm open to ideas, but I need the end user to enter their credentials only once.
I'm use WeWeb for the front end.