It’s probable a newbie question but I’ll try to create an interesting debate. I know there are some authentication methods for API Basic Authentication, API Keys, OAuth 2.0 … all of those methods add a header or a formData param in the request. Although you use SSL, it’s “usually easy” to hack mobile apps (I’m thinking in Android right now: