Until you have more specific requirements to guide you I'd go with something simple and easily understood -- plain old sessions backed by redis or the like. For web clients, cookies are convenient and the most secure option (when properly configured). For non-web (i.e. native mobile apps) you'll probably end up with using a header.