Where does the Auth ticket come from?

It messed up the formatting:

https://target_domain/db/main?a=API_Authenticate&username=PTBarnum&password=TopSecret&hours=24

Placing a URL in an email that includes a username and password is a very bad idea as it needlessly exposes the credentials to future discovery and use. In practical terms, the only place to use API_Authenticate is use from a server or some other place outside the browser.

You don't put the username and password in the URL that is sent, just the Auth ticket that is set to expire in x number of hours.  
#ComeOnMan

Placing a ticket in a URL sent via email is an equally bad idea and it may well violate the terms of service. This is called ticket or session sharing. Anyone with the ticket has full access to the QuickBase session for the duration of time the ticket is valid. Email is an insecure way of sending credentials, session information or other sensitive information.

The only ways to securely access QuickBase is through the GUI login at which time the ticket will be immediately saved in a https only coookie or to immediately grab the ticket when API_Authenticate is called from a server or other place outside of a browser. The security access model used by QuickBase is designed to not share tickets with anyone.

I teach information security and know what I am talking about here. QuickBase has excellent security practices and the only way you are going to get in trouble is through human error - such as sharing credentials or tickets in an unauthorized manner.

The same violation of terms of service are broken when you do "Everyone On The Internet".

If you design it right, it works great and maintains your security much better than you'd think.