He outlines the rules for designing authentication schemes for REST API’s. “ Let's just be blunt: if you aren't encrypting your API calls, you aren't even pretending to be secure ”, He says, 1.