I think it is fair to say that the users don't really care as long as the implementation is done well, but if information about me is worth storing in a cookie (login information, perhaps), it is probably worth sending on all requests, even outside of the browser. If I've already logged in via the web browser, I don't want to have to login again to use your API (and vice versa). It seems like a sensible default. The server can always ignore the cookies if they are not needed.