use token based auth after authenticating with the webapp
session based auth leaves the webapp vulnerable to CSRF attacks. We'd like to disable it for API calls. So token based auth should be used instead. For an example in py see: https://github.com/leapcode/leap_web/blob/develop/users/test/integration/api/python/flow_with_srp.py#L67
(from redmine: created on 2013-10-29, closed on 2013-12-22)