That’s assuming the client wants to make a web app. They may need to connect something else to that API.
It’s perfectly normal to be able to cater to more authentication scenarios than “web app logging in directly to the target API and using its cookies”.
If they want to make a web app they should use the cookie mechanism but ultimately each client app is responsible for how it secures its access.
It’s not about Trump (the dude may not even live much longer, he looks awful).
It’s about all the people who support his values and way of thinking and use him as a distraction while they erode democratic rights and processes. America is undergoing a tremendous divide which may lead to the federation coming apart and individual states breaking away. That’s what’s worrying the rest of us, not the POTUS making a fool of himself on TV.