You must secure messages that you send.
Message security has two components, channel security and authentication. Channel security is maintains the security of the message in transit between two endpoints. Authentication is used to determine that a secure message comes from a particular merchant. To sum up, channel security prevents eavesdropping and tampering in transit, and authentication proves that the message received came from the person it says it came from. Both components are necessary to establish trust and to process transactions.
REST uses transport layer security (TLS) for channel security like most APIs do. REST uses two different authentication mechanisms: JSON Web Token (JWT) or HTTP Signature. Both use the http message header to transmit the merchant's credentials.