The API uses the same system as the normal lemmy-ui website login. There is a login API call where you get a JWT token that is used with the auth parameter on other API calls (such as creating a comment or post that requires login).
JavaScript example:
http://lemmy.world/api/v3/user/login
jsonBody= JSON.stringify( {
username_or_email: "username",
password: "secretpassword"
} );
Also found this bash shell script example: https://lemmy.ml/post/1829749