How does it work?
The token system is used in conjunction with input forms, where it generates a unique and practically un-guessable value that is saved in the user's session and as a hidden variable in the form. When the form is submitted, the receiving page can check if the token value provided via the form is also in the user's session. If not, the check will fail.

How do I use this in my module?
Depending on your module's implementation, there are several ways to implement the token system:

Form side
1) Add a 5th parameter to the XoopsForm-derived class constructor - true for adding a token and false (default) for not using the token system in this form

2) If not using XoopsForm classes but writing HTML directly in a PHP file or Smarty template, one can get the HTML for a token field with $GLOBALS['xoopsSecurity']->getTokenHTML() - this will return the result of a XoopsFormHiddenToken::render() call, ready to be used in a PHP file or assigned to $xoopsTpl for use in a template

Receiving side
On the receiving end, one must check the validity of the token by calling $GLOBALS['xoopsSecurity']->check() - which returns true or false - before authorising changes to the database or similar actions.