There is a certain clientID clientId = which is known to the device that connects.
Using this clientId - the device makes a request to the server and receives an accessToken for this device (accessToken ). The next request is sent with clientId + accessToken + username and password. If all is well, then we get the user's accessToken.
At this step, we are sure that the device is secure and the user is logged in. (We have an accessToken for the user).
You can send another request with this accessToken - check its validity.
Moreover, each of these requests can still be confirmed by clientId (which is known initially).
So we checked the accessToken - it's valid. And we received the so-called sessionToken from the server.
and then we can communicate with the server through this sessionToken - attaching it to the headers.
Maybe I messed up something - the time is already late ... But I think you can understand the essence.

I don’t understand: do I need to “shove” several devices into one session in parallel per unit of time, or just give the opportunity to log in under one account from different devices?
In any case, when implementing an API, you need to manage session creation manually.
1. If there are DIFFERENT sessions and ONE account, the UUID on the server is used to create ID sessions.
2. If you need a SINGLE session for ONE account for several devices, then store the only UUID in the database. ( session_id(ID) ; called before!!! session_start();)
Authorization: CRAM-MD5
You can also do mirroring if necessary. ;)

Authorization != authentication . What's the difference from which device the user logged in?