When you process the log in, a cookie is sent to the device and stored. This is used later to validate the login for future api requests. Each time you add a SC to a page (or a SC form) that uses a restrict step or the identity, you will need to tick credentials to allow this cookie to be sent with the request.
I have made a feature request that mobile projects have it ticked by default: