@Gene I understand your concern and agree there should be a method at Rachio to reset your API token. Although, I'm not sure what someone would gain from having your token, other than to mess with you by turning your system on/off randomly or disabling scheduling.
Now that you mention it, I wonder about the security of how Amazon skill works, etc, where you actually authenticate with your user/password. Although maybe that was developed by Rachio. Or all those apps that integrate with Hue lighting also.
You are correct, that technically the key does make it to the server by page postbacks for persisting state between pages. In my defense the base site was as the original site was and I left his original statement there. I suppose it could control them through local client scripting, but I whipped the site up in about an hour to get prepped for closing my system this week. I was disappointed last year when the site had disappeared and it was difficult to close using just the app. I will add clarification to the statement to include that it is used for the duration of the session.