We have changed our API in an important way in order to prevent Cross Site Request Forgery attacks. APIs which use implicit authentication - e.g., HTTP Basic authentication or cookies - are vulnerable to such attacks.

What’s the change?

1. We have added an explicit ‘login’ command which returns a “token” for the session if the login is successful.
2. Subsequent commands in the session must all include this token in order to be processed.
3. The token expires after a “reasonable” time-out — on the order of 10 minutes or so.

I hope it will not be too much of a hassle for you to adapt your scripts. Security is paramount when it comes to handling finances.