it is a way for clients to authenticate with relays, right now, relays have basic permissions that are hardcoded and they're relative to the events they receive. i.e. they only accept events from certain pubkeys (not who sent them), or can block connections per IP, but they don't really know who they're talking to... with AUTH, the relay knows who it is talking to because the client signs a unique challenge, so they have a signed proof that the clients is X pubkey. with this, they can for example refuse to serve kind-4 notes or other things it decides should be reserved to only authenticated pubkeys..