According to the REST API documentation under Authentication, there is a Session object returned in the JSON response as part of 'Step 7:Logging in with OxygenLoginCredentials'. It's unclear to me whether the userId property is actually supposed to be the Autodesk account username one uses during the authentication process. I assumed initially it would be but am getting a different value. Is this value perhaps encrypted? If so, what is the process for unencrypting? For example, my username of 'mnalevanko' is coming back 'tEYFo' in the JSON response.
The value is not encrypted. I would expect Session.userId to be the key for your PLM user, which is usually an email address. Personally, my code doesn't make use of the Session information. I just use it as a sanity check to make sure that the login was successful. I verify that a Session object came back, but I don't take a close look at the data.
Try calling /api/v2/users/profile and see if the UserDetai.id value matches Session.userId.