Communication between channels is managed by the channel nodes.
The communication contains a data payload that is coded as JSON. This is passed as the "data" claim in a JSON web token (JWT), allowing it to be signed by the sending party. This provides the receiving party with confirmation that the message is authorised, and the signature also provides a non-repudiation guarantee that the message was indeed created by the other party and not tampered. The JWT will also contain a "process_identifier" claim to indicate the identifier of the shared process.
For a local call (on the same server), the receiving channel is executed passing the JWT in the "data" parameter of the request. No authorisation is provided. Data is returned in the "return" element of an XML document.
For a web service call (remote server), the JWT is posted to the receiving channel's address as POST data, with a content type of "application/jwt". No authorisation is provided. Data is returned in the same way as a local call.
Note that the call in either case is anonymous, and the channel must allow anonymous execute permission (plus anonymous use draft permission).
(It would be possible to envisage a different solution in which a JWT was used as a bearer token, which is the more typical pattern, and the data sent separately. However, the need to sign the data payload means that it is just as easy to put the data payload into the JWT rather than have a signed JWT and then a signed payload. Also, this approach allows local calls to be encoded the same way as remote calls.)