Nice layout, and I'm mostly ok with the API.
But! This is a big "but" for me, by the way. Stop storing the user/password in a cookie, and specially do not store anywhere in plain text (much more specially don't do that in the cookies!). I just did a SELECT * FROM moz_cookies WHERE baseDomain = 'coinroll.it'; on cookies.sqlite from Firefox and I see everything as clear as it can get.
My second issue is the limit of bets. Are you scared of someone suddenly getting lucky on < 1 and stealing all your pot ?
Nevertheless, congrats on making a decent API for it.
I just saw your post, sorry for the delay.
This was a design choice. I wanted it to be loginless and stateless. The alternative would be to have a (static) session ID which would pretty much have the same effect: if someone has access to your machine they can access your Coinroll balance. Which I don't think is a problem anyway. If your system is compromised you have bigger problems than your balance on a gambling website.
The cookie has the 'httpOnly' and 'secure' flags set, so it can't be read by javascript and it is only transmitted via HTTPS.
People don't leave Bitcoins on the website. They also make (and they should) new accounts for every session.
As for your second question, the pot is big enough to make that event highly unlikely. The betting limits are adjusted based on that.