Where at all possible you should use secure connections when using the API, particularly when usernames and passwords (or tokens) are being communicated across the internet or when messages contain sensitive information.
SSL or TLS can be used with and APIs to secure access to our services. Similarly VPN connections can be put in place for this purpose.
While SMS is a suitable means for communicating some sensitive information, it is not suitable for messages that absolutely must not be visible to parties that may lie between your application and the intended recipient. Where strong end-to-end encryption of messages is used then SMS should be fine, albeit IP may be a more suitable transport than SMS.