At least the login/signup pages, and more likely the whole website, should be secured with SSL.
It's likely that it's possible to do this even for the API without introducing any breakage, because browsers are obliged to follow redirects on XHR requests transparently. I've had issues with this with CORS, in the past, so it may be that only the token generator endpoint can be secured.
At least the login/signup pages, and more likely the whole website, should be secured with SSL.
It's likely that it's possible to do this even for the API without introducing any breakage, because browsers are obliged to follow redirects on XHR requests transparently. I've had issues with this with CORS, in the past, so it may be that only the token generator endpoint can be secured.