So, when you use the ‘login’ method (either through scripting or through the browser), once you give the rest API a username/password (of a console user), you get a certificate back. This certificate can then be used in subsequent interactions via ReST. A good way to see this is by using something like ‘poster’ or ‘postman’ within a browser, and you can clearly see the interactions.
If you want some examples in python and ruby, see my blog series at: https://www.ibm.com/developerworks/community/blogs/edgeCity/entry/the_young_and_restless_or_web_service_queries_for_the_rest_of_us?lang=en