As the cookie work out-of-the-box in the browser, we can use it for rest request also almost out-of-the-box (use 'withCredentials: true' headerOption in a request, do not forget to enable 'supportsCredentials: true' in services.yml alongside other CORS config).
@variable — Use this style of placeholder for most use-cases. Special characters in the text will be converted to HTML entities.
%variable — Use this style of placeholder to pass text through drupal_placeholder() which will result in HTML escaped text, then wrapped with tags.
:variable — Use this style of placeholder when substituting the value of an href attribute. Values will be HTML escaped, and filtered for dangerous protocols.
Rest client (custom module)