Well I haven't got my application set up yet, but from reading the documentation it seems as though:
1. Use https://itch.io/api/1/jwt/me to get information about the player (I'm assuming you're already doing this)
2. Then call the API described here to verify the user is legit (if your game requires a user to have purchased the game, or obtained a key from you some other way)
3. You should now be confident in your game client that your user is valid (and owns the copy of the game if you decided to do #2). You should be able to pass the same ITCHIO_API_KEY environment variable to the server, and have the server also perform #1 & #2 again so it can also trust the player is legit. The key is valid until ITCHIO_API_KEY_EXPIRES_AT environment variable so you should be able to auth using that key until it expires. I don't yet know how long that timeframe is though.
I haven't set my game up to use the app manifest yet, since I've only just started using Itch. I'm still reading documentation about different API functionality and just wanted to give you an idea of how it all seems to flow in my mind.
If you want to get really really fancy once you've got the basics:
There are also some other cool ways you can use to make sure that the API key you've been given doesn't go to waste if the expiration they give you is a short timeframe and you don't want you user to have to re-launch your game. You can also create your own verification backend that verifies, and translates Itch API keys into session keys that YOU control. You can then use those session keys to authenticate with your server, and the server verifies your internal session keys. You can even get crafty and set them up to rotate around so the key can only be used once and refreshes for every request in order to prevent replay attacks.