[stilkov]

No, it’s not. That’s why we wrote “because of the limits of browser-native authentication (e.g. no logout, no styling), form-based authentication in conjunction with cookies can be used”. In practice, that’s the only option for public applications.

[iovrthoughtthis]

I would question why that is first in the list then as it is confusing and at odds with the rest of the document which appears to aim for clarity.

Would something like this be better?

"Authenticated communication via a browser relies form-based authentication, possibly in conjunction with cookies. If cookies are used, they should include all of the state needed for the server to process them. All other forms of authenticated communication should rely on HTTP Basic or Digest Authentication, typically combined with SSL, possibly with client certificates."

Unless HTTP Basic / Digest are also unsuited for public API's in which case should they not be removed and some other recommendation be made?