When deciding on which technology to use to interact with other systems, there are several aspects to keep in mind. What are our limitations, what are the other system's limitations, do we need authentication, should our data be XML or JSON? and so on.

If you are creating users that will only be interacting with your web services and APIs, you can mark this on their profile as API-only to protect the rest of your organization. Also, unless you specify IP range whitelists for your users' profiles, a security token will be required in order to authenticate the user and retrieve a valid session ID for use. A security token is a unique string that is generated on request from a user's personal settings and is tied to the password, meaning that it is reset when the user changes their password.