take a web3 approach where every request is signed by user liek a transaction and backend verifies the users signature + data is valid. No username/password, sessions, access tokens, etc.
https://github.com/project-vinyl/nfctap.xyz/blob/b63fefa66be593a1d8c19edadad5c567654ab3eb/components/modals/ChatModal.tsx#L42 https://github.com/project-vinyl/nfctap.xyz/blob/b63fefa66be593a1d8c19edadad5c567654ab3eb/lib/zkProving.ts#L39