In order to allow the receiver of XJMF messages to authenticate the sender we should define a (prefered) authetication method
9.5.3 HTTPS-Based Protocol – TLS
In order to prevent fraud and misuse of the interface it is strongly encouraged to only allow access to authenticated clients. If authentication is implemented, it SHOULD follow the "RFC 6750: OAuth 2.0 Bearer Token Usage" (https://tools.ietf.org/html/rfc6750). All implementations SHOULD support at least "2.1 Authorization Request Header Field" (https://tools.ietf.org/html/rfc6750#section-2.1).
The initial exchange of the token and renewal, as well as the format of the token is not part of this specification and is implemention dependent.