It's magic... you shouldn't have to do anything (i.e., don't use getSession()). When Rlabkey sees the session information it passes it back as an HTTP header for all API calls coming from that R session. The server accepts this just as it would a valid JSESSIONID parameter or cookie coming from a browser.

I haven't walked through the Rlabkey code recently, but a couple quick tests on labkey.org show that it's working as expected... I created a two-line R view that outputs the results of an Rlabkey select command. The report correctly renders results matching the currently logged in user's permissions. I provided no authentication context to Rlabkey... it's picking up the session information implicitly.

We don't appear to document that this mechanism exists, though.

Adam