Note that creating a project is done through the Site Admin API, not the OTA (client) API.
In order to use either API you still have to establish a connection to the ALM/QC system through the API using valid ALM/QC user credentials. To use the Site Admin API those credentials additionally have to have been granted access to the Site Admin UI. One risks is, depending on how you write your interface to the API, you may expose the credential's password in an non-secure manner.
(Opinions and information contained in this post are wholly my own and do not reflect the opinions of my employer.)