I need to design an API with reasonably secure* authentication that can be used from either an application server or a web client (e.g., AJAX running in an application loaded from an application...