[Q] How does authentication work internally

[Cilenco]

I would like to use this to authenticate my slim REST API but I'm a bit confused right now.

Don't I have to add an accessToken or something like this to my response from login? If a user calls login and after that tries to get some other data how does the system know that the user is authenticated and allowed to call the method? Of course then I have to test if the accessToken is valid in each route but it seams that I do not have to do all this by myself.

The only way I could think of is that the authentication is IP based but I see some problems with that so that could not be the answer, right?

Also how long is the authentication valid? Can I set a experation date somewhere?