Isn't it a security risk to use http authentication?  Sure, the password is hashed, and the username/password combination is encoded (not to be confused with encrypted), but if someone gets this token, can't they use that and your api key (both which are being passed in plain text) to authorize themselves into your account indefinitely.  The session authentication seems to me to be slightly more secure, but again they are able to use that session token for at least its life span.  Am I correct in these assumptions?  Are there any plans to introduce signed URLs?  What is the secret API key for?  Can I access the API over an SSL connection?

Thanks.

agree https authentication should be available if your going to storing personal information in your omnidrive account.