For question 2 about the request, the reason it could be useful would be if the client, and not the server, was initiating requests and had access to a source, whether via an API key or some other means of access. As a basic example, let's say the client (mobile app) sends the server the user's portfolio of stocks for advice. The server determines that it would like to see detailed intraday data for 3 of the 20 stocks in order to perform some technical analysis. It sends back to the client -- here's the exact request w/parameters you need to make to Etrade.com (or Robinhood.com, etc) to get the data I need... just substitute your API key (so the key never leaves the mobile device, never shared with the server), then go make that request then send me (the server) the results and I will do the analysis.