Once I've logged in over https and have my session id, is there any reason to really stay in https mode for future API calls? What got me thinking about this was the observation that web traffic to smugmug doesn't. So once I login my web session id, or some other unique identifier, must be getting passed along in the clear. If I can save the crypto overhead then I'm all for it.

personally, I just do logging in over https, and do everything else using http.

Yeah, 4 more lines of code and some debug and that's how I'm doing it now too. I figure if it's safe enough for the web interface, well, then hey, it's safe enough for me.