sterile sage
Session based auth is for use with a browser, so if you have that then JS on your site will be able to call the API as the logged in user.
If you want to be able to use the API from a client that isn't a browser (ie doesn't store cookies etc) then you look at other auth options
tribal quiver
You can use SessionAuth without cookies for this, it's just more work, as you'd need an endpoint to trade login credentials for a sessionid in e.g. a JsonResponse and store that somehow on the client yourself instead of receiving it via a cookie.
DRF comes with builtin TokenAuth, but it's unfortunately very bare bones and imho not usable for production as it has no expiry and just one token per User instead of per session. There are many small libraries implementing parts of this, but I can't find one that seems to have reached a broader concensus. We did built our own TokenAuth back then to support the things above, but I don't recommend that either.
Many people reach for JWT to use for authentication, but maybe you better should not: https://blog.ploetzli.ch/2024/should-i-use-jwt-for-authentication At least give it a good read.
sterile sage
I think django-rest-knox is a relatively popular addon for DRF to do this
tribal quiver
aye I just saw it's actually linked in the DRF docs, thanks
there's so many other libraries that have like 5-50 stars and no activity in the last 2 years 🥹
granite magnet
yes you can but is recommended create custom user model