1. Authentication is performed once. This is a rather complicated, potentially multi-step process. Doing authentication on every request is a 100% wrong decision, it will simply not be possible to use it.
2. Because authentication is performed once, then a certain token is used as a label for all requests from some authenticated user. It could be a session ID coming in a cookie, it could also be a JWT sent in the Authorization header. This is the token that needs to be checked every time. The essence of this token is that it is a) one way or another temporary (although it can be extended in one way or another); b) is not associated with a specific authentication method. Those. it represents a particular successful authentication. With some stretch it can be called a "session". Verifying this token is MUCH easier than doing a new authentication - either you just need to find the session in the list (well, check the IP just in case) in the case of a session ID, or check the validity of the signature in the case of a JWT token.
3. Насчёт фильтров авторизации - уточните версию ASP.NET, тогда поглядим.

Stanislav Makarov Thanks for the explanation.
2. Not JWT but almost the same.
3. .net version 4.5.1
I need to create a REST API service and one of the requirements is that www.restapitutorial.ru state does not exist . Therefore, in order to determine the user, I pass the token formed as follows:
Create an array of segments and url parameters. Sort alphabetically. We create a string from this array. Add the secret key hash to it. Add the current time in unix format. And we pass it in the Authorization header along with the user's UUID.

var token = url + secureKeyHash + currentTime;
var authorization = uuid + ":" + token;

Сервер проверят есть ли пользователь с таким uuid. Если есть тогда берет хеш секретного ключа пользователя. Создает токен таким же образом и сверяет с токеном из заголовка.
Все это сделал. Создал глобальный фильтр аутентификации. Только вот сессии и куки мешают.