When generating a cookie via the endpoint /rest/auth/1/session, it'd be interesting to be able to provide the API token generated at https://id.atlassian.com in the body of the request instead of the user's password. Example call being:

curl -D- --silent --cookie-jar "myCookie" -H "Content-Type: application/json" -d '{"username": "<user>", "password": "<API_Token_here>"}' -X "POST" "https://instance.atlassian.net/rest/auth/1/session"

This would help customer to avoid stressing the server with basic auth using tokens. But instead they could generate one without having to use their passwords.