It's pretty simple, basically just a challenge string that has to be signed in a particular way — no expiration or anything, because a relay can invalidate the session whenever they feel like it. In the future, I think it would be cool to authenticate with pubkeys other than your own (for example a single purpose pubkey exclusively used for holding a badge awarded by the relay admin). Lots of interesting possibilities.