To use any of the APIs, the user first needs to call the 'login' API and provide the username and password (through SSL). Upon successful login, a token is returned. This token needs to be utilized in all further API calls. The token is encrypted and passed over SSL.
The login API function has a built-in mechanism against brute-force password attacks, by temporarily suspending the account login after 3 incorrect attempts.