Nice layout, and I'm mostly ok with the API.
But! This is a big "but" for me, by the way. Stop storing the user/password in a cookie, and specially do not store anywhere in plain text (much more specially don't do that in the cookies!). I just did a SELECT * FROM moz_cookies WHERE baseDomain = 'coinroll.it'; on cookies.sqlite from Firefox and I see everything as clear as it can get.
My second issue is the limit of bets. Are you scared of someone suddenly getting lucky on < 1 and stealing all your pot ?
Nevertheless, congrats on making a decent API for it.
This was a design choice. I wanted it to be loginless and stateless. The alternative would be to have a (static) session ID which would pretty much have the same effect: if someone has access to your machine they can access your Coinroll balance. Which I don't think is a problem anyway. If your system is compromised you have bigger problems than your balance on a gambling website.
The cookie has the 'httpOnly' and 'secure' flags set, so it can't be read by javascript and it is only transmitted via HTTPS.
You are skipping another approach that should be obvious: there are bugs everywhere. I don't actually need to compromise a computer in order to access their cookies (including the httpOnly ones), I just need a browser with a bug that has been published (or not) which allows access to cookies.
Of course there are other approaches, maybe they are just not feasible for you ? GMail uses cookies too, but plain passwords is something you won't find there.