BlueCat Gateway handles authentication via the BAM REST API (described in Installing and upgrading Gateway). Authentication is slightly different between UI pages and REST API calls:
Gateway UI: Authentication is enforced with browser cookies and a login screen.
REST API: Basic authentication is based on a token that the user must pass with each call. If supported, the token is also stored in a cookie.