Verify that a remote caller is who they say they are. Don't send passwords or API keys over the wire. That's risky. Make sure replay attacks have a very limited window in case someone has listened in to the HTTP conversation somehow.