Web api's are a lot of things. Some are transactional, like booking systems, inventory systems, banking systems, web shops...
Ed: however the thing with tls is that it is session based, and it's probably a good idea to surface that state to the application, so you had a connection-based transport, and you could say: "I know this session, it's encrypted, and I've flagged it as authenticated to this user, and can map that to authorization" - rather than have a cookie that can get stolen rather easily.
You might still hijack an encrypted session of course, but it should be a bit more tricky.
Ed: however the thing with tls is that it is session based, and it's probably a good idea to surface that state to the application, so you had a connection-based transport, and you could say: "I know this session, it's encrypted, and I've flagged it as authenticated to this user, and can map that to authorization" - rather than have a cookie that can get stolen rather easily.
You might still hijack an encrypted session of course, but it should be a bit more tricky.