Currently anyone who knows how the API works and can obtain your session-id from a cookie could obtain information about you through the API unnoticed.
The cookie is side wide intentionally. It was ment as solution for the problem that you need to log in to the SD and the website individually. Due to the introduction of https for only the website this hasn't been solved yet. (I want a wildcard certificate, and I want it now! ;) )
One way to have more control on who uses the API is to introduce API keys & secrets. Simply put, each application which wants to use the API has to send an API key with each request as well as a hash of the request hashed with its secret to sign the request. This way only when an attacker obtains the secret he/she is able to hijack the key but the secret is never transmitted in any of the requests.
Currently intercepting requests between an application and the website isn't easy since all uses of the API are limited to the Cover server itself but maybe in the future people would want to use the API from their personal domain to extend the utility of the website itself. And personally I would love to see such implementations and want to make sure that this would be possible.
.. really we should just use OAuth but that is so horribly complex :(