What is wrong with cookies?
If both servers are in the same 2nd level domain (web.example.com and websocket.example.com), they can share cookies.
The websocket connection will send the existing cookies for that 2nd level domain during the negotiation.
So you can perform authentication in the web server, return an authentication cookie, and then the websocket will send that cookie to the server again. The websocket server should be able of opening and reading the cookie.
"500 messages per minute" are 8 messages per second, it should not be a problem. Websocket connections are established once, there is not a new connection per each message. A websocket is different than a webservice.
Cheers.