Changes

We standardize a point of authentication, <tt>/auth</tt>, which exchanges an assertion for a MAC HTTP Auth token and secret, valid for some session duration (30 minutes?). Then, subsequent API calls are made with an HTTP MAC Auth signature header ([https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 HTTP MAC]) using that token and secret. (This is similar to OAuth in 2-legged mode, but is now being standardized as its own HTTP Auth method.) Thus, apart from the new API call to <tt>/auth</tt>, a REST API does not need to change. Only its authorization header is affected.