MCWS supports two ways to authenticate, either by using a Token, or using HTTP authentication (ie. the login box the browser shows). Your browser will then store the login information and just keep sending it on any subsequent request, so you only get it once in a session.
This is also what MC Clients do, they check the credentials once using the Authenticate call, and if they are accepted they keep sending them with every request otherwise in the HTTP headers.
So in short, you need to provide some sort of authentication with every request if the server requires auth. Either a Token, or a HTTP Authorization header.
Tokens are generated for your client specifically and IIRC are also tied to the IP address of the request, and a certain lifetime, so they expire if not used for a while (although the timeout is relatively long).