Cookie-based authentication when using the WordPress API Fetch NPM package. https://hookturn.io/cookie-based-authentication-wordpress-api-fetch-npm-package/

localize-script-variables-for-wordpress.php

<?php

add_action('wp_enqueue_scripts', function(){

    // Assuming our previous example code is in a script enqueued with the handle `my-script` e.g;
    // wp_enqueue_script( 'my-script', … );
    
    // Localise an object containing our nonce:
    wp_localize_script( 'my-script', 'myvars', [ 
        'nonce' => wp_create_nonce( 'wp_rest' ) 
    ]);

});

wordpress-api-fetch-with-headers-via-middleware.js

import apiFetch from "@wordpress/api-fetch";

// Add the nonce as middleware. This automatically adds the `X-WP-Nonce` 
// header to requests.
apiFetch.use( apiFetch.createNonceMiddleware( window.myvars.nonce ) );

apiFetch({  
    path: '/wp-json/some/endpoint'
}).then((data) => {  
    // use data here
});

wordpress-api-fetch-with-headers.js

import apiFetch from "@wordpress/api-fetch";

apiFetch({  
    path: '/wp-json/some/endpoint',  
    headers: {'X-WP-Nonce': window.myvars.nonce}  
}).then((data) => {  
    // use data here
});

wordpress-api-fetch-without-auth.js

import apiFetch from "@wordpress/api-fetch";

apiFetch({  
    path: '/wp-json/some/endpoint',  
}).then((data) => {  
    // use data here
});