Before a device token has been registered, the initial authentication takes place using username, password, and MTAN (or any other authentication flow resulting in access to the device registration REST calls).
This process has nothing to do with the actual device token authentication but it shows what a REST client has to expect in this state.
HTTP Request: Check Username and Password
HTTP Response: Check Username and Password
Note that since there are no device tokens for the user, the next authentication step is directly "MTAN_OTP_REQUIRED".
HTTP Request: Send MTAN OTP
HTTP Response: OTP OK and session authenticated
At this point, authentication is completed and access to protected REST calls such as the ones following are possible.