Authenticate against a stateless API implies that you should authenticate each time that you make a request to the server; keep in mind that a stateless server does not keep track of the previous requests. This means that each time you make a request to the server, it will process the petition as the first one.
As sessions are not stored in the server, you should put that information somewhere else. For Backbone applications, the right place to store the session data is the browser, you can use localStorage
to store and retrieve the session data and JavaScript to manage the session.
The simplest way to authenticate against a RESTFul API is with the HTTP Basic Authentication. The idea behind this is simple; you should include an encoded version of your username and password for every request you make. It may sound risky to send your user and password for each request, and it is. For this reason, it's highly advisable to only use Basic authentication...