Placing a ticket in a URL sent via email is an equally bad idea and it may well violate the terms of service. This is called ticket or session sharing. Anyone with the ticket has full access to the QuickBase session for the duration of time the ticket is valid. Email is an insecure way of sending credentials, session information or other sensitive information.
The only ways to securely access QuickBase is through the GUI login at which time the ticket will be immediately saved in a
https only coookie or to immediately grab the ticket when
API_Authenticate is called from a server or other place outside of a browser. The security access model used by QuickBase is designed to not share tickets with anyone.
I teach information security and know what I am talking about here. QuickBase has excellent security practices and the only way you are going to get in trouble is through human error - such as sharing credentials or tickets in an unauthorized manner.