The correct flow would be the get one trusted ticket, then get one of the views (that will assign you a workgroup_session_id cookie) and then open the rest in parallel using your newly built session. You have to persist your cookies between curl invocations (-cookie-jar)
Do you have an example somewhere? Is this documented?
Should the workgroup_session_id be in the response header, or where should I find it?
It does not documented since Cookie handling is the core of the browsers. When you first open the viz with trusted ticket you should see a
In the response header. Set that cookie and you will stay authenticated