All clients must use a session to perform their actions
To create a session, a request must first be sent to the endpoint /logon with your credentials. The response will have a Set-cookie header containing MFES-RFA-Session. This cookie must be sent with every subsequent request.
Once your script is complete it should finish with a request to the /logoff endpoint to clean up the session. This is to reduce the risk of reaching the session limit and minimize resource usage, and is also a best practice for Web API security.
Sessions have both a maximum lifetime and a maximum idle time, set in the RFA listener configuration. See Remote File Access conversation type for more information.