To create your wallet, you should pass this parameters:

• walletDirOpt - Optional folder to keep your wallet. When undefined, your wallet is kept in memory, which is only recommended for one-time wallets or tests. For day-to-day wallet usage it's recommended to select folder with cloud backup, like Dropbox, SpiderOak, Carbonite etc.
• walletPassword - wallet password is an encryption key for your wallet. Even if someone have access to your wallet file, he can't get access to your wallet without this password. It's possible to set it via settings json file, while it's better to pass it on application start.
• walletSeed - Wallet seed is used to generate your wallet, and can be used to restore it in case of problems. Anyone with a copy of your wallet seed can spend your coins so keep it safe. It's possible to set it via settings json file, while it's better to pass it on first application start.

To make your API secure you should do following:

• Configure https for API. For now there is no build-in support of https in Scorex, you may use any http-server with https support to access API.
• Set up API key. After that all POST/DELETE requests to api should contain api_key parameter in header. To configure it you should set apiKeyHash parameter in your settings file. apiKeyHash is SecureCryptographicHash(api_key)=Blake256(Keccak256(api_key)), where SecureCryptographicHash is defined in Scorex and may be accessed via API from /utils/hash/secure API route.