The OTM2 API requires that all requests be signed. The iOS and Android applications sign all their requests and, when you debug the iOS application, it will prints this signed requests to console. Here is what a signed request looks like:
You can take one of these signed requests and test it in a browser, but you need an application to properly generate the timestamp and signature. You can generate the access/secret key pair required for message signing using the Django shell.
$ python manage.py shell
>>> from api.models import *
>>> a = APIAccessCredential.create()
>>> a.access_key
# prints the access key
>>> a.secret_key
# prints the secret key
In the iOS application, these keys are stored and read from the Implementation.plist.
Using SSL is separate from signing API request. The API will work identically over http and https.