To allow the auto-login mechanism provided by CentralAuth to properly function with a REST API, it needs to support header-based authentication. A straight forward way to do this is to use an Authorization header in a way similar to how OAuth uses it, e.g. something like Authorization MWCentralAuth <token>.
Note that this new SessionProvider should return true from the safeAgainstCsrf() method, while the old parameter based CentralAuthTokenSessionProvider must return false.