I am building an app which is having only two forms. The first form collect user information. There is no user login/registration involved. And the second form displays survey to be filled in by that user. I can not use passport as there is no login/registration involved . I should not even return sensitive data using any API endpoint.
I want to know which approach should I go for then?
I don't know anything about your application, but it sounds like you might want to use a unique token (for example: h38dhe9ajnq2093bdhgj20opdnwspo2a). I'm guessing you will be sending out links to people who will be filling out questionnaires or surveys, so include the token in your email/message so you can uniquely identify them. Once they initially come to your application, store the token in their session or in a client cookie, and base your authentication middleware on that being present in every request.
I'm assuming that security is not a big concern in this case. Otherwise, you may need to implement this system more carefully.
