Common solution is to use auth tokens
When user logs in from the app, server creates unique random string (token), stores it in database (with expiration limit) and sends it back to the app. Then app includes that token in each request and server knows that request came from authorized user