POST /users/login with the email and password should return a token and a session ID. You will need "authorization" and "x-session-id" headers for any request that requires authorization. If you do not send a request every few minutes, the session will expire and a new one will be needed. "Requires authorization" does not mean it's limited to staff. I have some code examples using JS, but I'm replying on my phone right now, so let me know if you need them and I can provide them.