When your app makes requests to your backend, it must authenticate itself by including the session-token as a header of these requests. The backend can then validate the session-token and decide if the client (your app) is allowed to make that request.
Overview
step.