Technically, they need to only enter it once and then you persist the access token and utilize it in subsequent requests. How you handle this personally though depends on what kind of session management you have in your application and whether persisting the access token makes sense for the type of app you have.
