User API is no longer gets bypasses that standard API gets. Only bypasses are CSRF and XHR requirements.
This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278