"Sessions" here don't mean the same thing as with web apps since the API is stateless. In this context, it simply refers the the authorised identity making the current API call; usually, depending on the authorization level, it will have information about:
- The customer profile
- The user profile
These two (2) pieces of information are what constitute an authorised session.
Personal Access Tokens
PATs also create an authorised session as they carry the customer & user information as a part of their context.