Auth web services is pretty similar to auth normal apps. It's actually the same that old simple PHP session mechanism works. You check login and password, then you start session and token (session id) is generated that is stored at server side and passed by the client with each next request (either via cookie or uri). Nothing really changed.