https://serverless.com/blog/strategies-implementing-user-authentication-serverless-applications/

Typically, you would store session data in either Redis or Memcached. But for Serverless projects, it makes sense to use hosted datastores instead—Amazon ElastiCache or DynamoDB, Google Cloud Datastore, etc.

AWS Lambda offers a convenient way to perform authentication outside of your core functions. With API Gateway’s Custom Authorizers, you can specify a separate Lambda function that is only going to take care of authenticating your users.

Still a lot of heavy-lifting. The whole point of going serverless is to focusing more on coding the business logic. 😦