SOAP like server

I'm going to make a SOAP like server and was wondering why most SOAP based API's have a username, password and key to gain access.

Surely one form of ID would be enough as all three of those parameters could be just as easily spoofed as one?

Also is there anyway that doesn't use SSL to identify request from another server and doesn't use any extensions such as SOAP.