"Imagine a simple API for e.g. a (mobile) web application. I would want the client (connects via ajax) to initially do a handshake and come to some form of authentication, based on a client key. Being a client side app, the key could be grabbed from the application and used in a spoof app." Read more.