If I understand the problem correctly, you have a set of users who need to authenticate with username and password, and another set of users (clubapi) which access the application via an API and, as such, need to use token authentication?

Assuming the above is correct, you should use middleware to authenticate the user. If there is no token in the request or the token is invalid, no user will be authenticated by the middleware and you are free to present a login form. When the user logs in, you can create a token, send it back to the user which is used on subsequent requests and will be handled by the middleware.