From the Flask-Login documentation:

Sometimes you want to login users without using cookies, such as using header values or an api key passed as a query argument. In these cases, you should use the request_loader callback. This callback should behave the same as your user_loader callback, except that it accepts the Flask request instead of a user_id.

So, to answer your question, they both serve the same function for Flask-Login. They are both used to load the user. request_loader, however, is appropriate for custom logins.

Here's a great tutorial I found that utilizes request_loader to take advantage of token based authentication (The post is not my own, I'm merely sharing the link): http://gouthamanbalaraman.com/blog/minimal-flask-login-example.html

To verify users with Flask-Login's session_id for frontend requests through Angular, you must set the withCredentials configuration flag to true.

That is, if you are using Angular's $http.post(url,data [,config]) or $http.get(url [,config]), make sure the config object contains the property withCredentials set to true. This will instruct the browser to use its cookies in the same way it would for a full-on page visit.

For example,

$http.post('/api/login',{username:'myusername',password:'mypassword'},{withCredentials:true})

will post the data {username:'myusername',password:'mypassword'} to your site/app's /api/login route and, if you're using Flask-Login and are logged in, Flask will know.

You can set this behavior for all $http service requests by setting

$httpProvider.defaults.withCredentials=true

somewhere in your app. Currently, I have that line of code in my app.config block, which seems appropriate to me:

var myApp = angular.module('myApp');

myApp.config(function ($httpProvider) {
  $httpProvider.defaults.withCredentials = true;
  });

(Since this post is about Flask, folks may want to send form data through Angular in such a way that it can be found in request.form, which has a similar solution, fyi.)