Since exposed service is stateless, an authentication "sessionToken" has to be passed as a parameter to each operation. The client can obtain the authentication sessionToken by calling the login operation.