Yes, a token-based authentication is used between client blocks and the middleware. It is described here: https://doc.cuba-platform.com/manual-6.6/userSession.html
The UserSession object is created on Middleware during LoginService.login() method execution after the user is authenticated using a name and a password. The object is then cached in the Middleware block and returned to the client tier. When running in cluster, the session object is replicated to all cluster members. The client tier also stores the session object after receiving it, associating it with the active user in one way or another (for example, storing it in HTTP session). Further on, all Middleware invocations on behalf of this user are accompanied by passing the session identifier (of UUID type). This process does not need any special support in the application code, as the session identifier is passed automatically, regardless of the signature of invoked methods.
So the UserSession identifier plays the role of the authentication token. Credentials are being only to the LoginService.login() method.