The server knew who I was because the login endpoint created a session cookie that was automatically sent with requests, allowing the server to look up my user information from the session database.