Best way to create and store a token/key for API authenticaion with no password

Question

I am fairly new to ReactJS and I have recently began a project where I have an express server where I make API calls and to update entries in MongoDB for a stock application. I determine the operations for API calls or DB actions by HTTP method, so if a get request is made to the portfolio route then it will take the email or any request data and return the user portfolio. Well the problem is right now I feel this is not safe or secure due to if someone knew another person's email they could get there information or possible other malicious actions. Now I don't create the user profile in the DB until they add a portfolio due to not wanting to store a lot of user data for privacy reasons and using firebase for auth, so what way would be a good way to secure the API to only allow a user to modify or acsess their data.

I thought maybe having a user create a portfolio password and have to use that to get in, but at that point I could just go ahead and set up storing the login password. I also can't think of a way to create a hash off the email without possibly using a salt that would be the same for all other keys making it less useful. Also, how would I store the token. Would it be best to store it in local storage or similar to send the key, but I feel like if someone was able to find it they could just use that.

TLDR: What is the best way to secure a server side API requiring an email but no password, but still allowing client side requests.