How to support multiple authentication types in single application

I am reading through the documentation on creating restful api endpoints here:

I see that it is recommended to disable user sessions for doing restful endpoints, and I can see how that makes sense. However, this same application will also be doing some more traditional mvc webapp stuff as well, which will want user sessions enabled and a login page etc. So what’s an elegant way around this? I know I could have two separate applications and just copy the models between the two, but that’s not ideal. Would this be a good use case for modules? If so, what would that look like?