Usually you do some kind of log-in request to start your session. You will get a Token back, and then you add this Token to future requests. Either as part of the URL, as part of the request body, or in a HTTP-Headerfield, usually it is “Authorization”, the Token beeing prefixed by Bearer and a space.
How this Token is generated, validated and other stuff depends on your application.