Hello Nirav, I have looked at the behavior of Thingworx's HTTP Basic authenticator to see why sessions are being created. The authenticator will create a new session for each REST call authenticated using HTTP Basic authentication unless explicitly told not to. This is to accommodate REST calls made by the browser, which will not know to explicitly ask for a session for the default login. You could add the following header to ask the HTTP Basic authenticator to explicitly not create a session though:
If a session gets created from a REST call, it will automatically expire after 30 minutes, so these sessions will eventually disappear.
There is another problem with this method, however, and it is that HTTP Basic authentication is slow. This is purposeful to avoid brute force attempts at guessing any password. Using application keys is the preferred practice for your case, as it avoids both the purposeful slowness of HTTP Basic, but it also avoids the extra sessions created; authenticating using an app key does not create long-lasting sessions by default.