docs: app_api session keys (#182)

Ref: #181
Ref: nextcloud/server#42479

docs/tech_details/Authentication.rst

@@ -78,3 +78,14 @@ AppAPIAuth
 
 AppAPI provides ``AppAPIAuth`` attribute with middleware to validate requests from ExApps.
 In your API controllers you can use it as an PHP attribute.
+
+AppAPI session keys
+^^^^^^^^^^^^^^^^^^^
+
+After successful authentication AppAPI sets `app_api` session key to ``true``.
+
+.. code-block:: php
+
+	$this->session->set('app_api', true);
+
+.. note:: The Nextcloud server verifies this session key and allows **CORS protection** and **Two-Factor authentication** to be bypassed for requests coming from ExApps.