We are in the process of revamping our server side API, and we need to manage security. Our current model requires that a credentials object (containing user, password, and pin) be included in each method invocation. Our development team, however, has decided that we should have session objects instead (which is fine by me), but the new credentials are just a GUID. This is very different from what I've seen in other APIs in our industry, so I'm a bit concerned about how secure the new model will be. I asked them if they had analyzed both alternatives, and they said they haven't.

Does anyone know if there're any clear advantages, disadvantages, risks, etc. of using a set of credentials versus just one element (complex as it may be)?

PS: the communication channel would be secure in either case, and it's separate from this particular topic