Unlike the WebServices API, which is both encrypted and session-based, or the FTP APIs, which are monitored through a firewall, the HTTP API interface is not as secure. It does require a password, but it does not support any type of encryption. Instead, it relies upon the transport channel you establish with the platform.
An additional layer of security has been included in versions 8.4 and newer. If your server has an SSL certificate installed, you can use https instead of http when creating your API commands. On the SaaS, that URL is: https://api.whatcounts.net