Authentication for REST services deployed on Salesforce are done with OAuth 2.0 You may find Salesforce's documentation on using OAuth 2.0 for Salesforce authentication here.

To establish an authenticated connection to an outside app you would have to first create a "connected app" on Salesforce and get the Client Id and the Client Secret token. To find Salesforce's detailed documentation on connected apps you may go here.

Authentication is always included in the header.