There’s nothing really Expo/ React Native-specific about securing a REST API. Your REST API is just a web application. It needs to be secured like any other web application. You’ll want a login endpoint that accepts a username/ password (or redirects to a social login) and returns a session ID or a token that can later be sent with each request. If your login endpoint returns a Set-Cookie header with a session ID, then that session ID cookie will be passed automatically to all future requests. You’ll want to use a standard library in your API to handle all this. Writing your own authentication/ security code is not recommended. These problems have been solved many times and lots of well-tested solutions are available regardless of programming language.
There’s also very little you can do to prevent your API from being called by an unauthorized client, be that a version of your app that has been modified, another app, or someone using Postman to contact the API directly. Hence, it’s really important that your API only permits actions someone would be able to take with your application. For instance, if a user is not allowed to delete another user’s comments, don’t expose an API endpoint that lets any user delete any comment.