The answer is quite late but what is the problem about using the app token here?
Also, I would suggest to use a user token instead of credentials with login & password.

Anyway, you have a point, the official API docs say the app_token is optional but in most cases it is actually required.

I have developed a whole bidirectional interface between GLPI and another ticketing system, it worked perfectly fine with just including the app_token in session creation.