In fact, tokens are not really generated by cosmos-auth, but by an Identity Manager (FIWARE's implementation is Keyrock) which is accessed by this API. So why not directly accessing the Identity Manager? This is because some sensible information regarding the Cosmos application is needed when requesting a token to the Identity Manager; specifically the
client_secret generated once the Cosmos application is registered. Thus, in order this information continues being secret, it is necessary this kind of intermediary service.
Transport Layer Security (TLS) is used to provide communications security through asymetric cryptography (public/private encryption keys).
Further information can be found in the documentation at fiware-cosmos.readthedocs.io.