> > How exactly? The API uses the secret key to verify request/response. That key is unknown > to the attacker. You are correct, I was ignoring the fact the API provides verification through the API keys. https would only provide an additional layer of verification.