The idea is to have a RESTfull interface for the CakePHP application.
When a user logs in from the GUI part (Extjs in our case) a cookie is set with a unique token.
This token is simply a field that is part of the user's data and stored in the user's table as part of the user's data.
Subsequent requests beyond the initial login from the GUI will use this token inside the authentication header.
Each request's token will then be checked before the request is executed.
We can use the existing authentication system that is part of CakePHP and map the token back to a user and then check if the user has the correct rights to execute a request.
Using a token instead of an established session will make things easy when third party systems instead of the GUI are used to interact with the CakePHP application.
Using a token is also staying true to the idea of a RESTfull interface since it should be stateless.