I have used APIs that require a nonce for every request. If HTTPS requests are not replayable, seen here https://stackoverflow.com/a/2770133/2800469, what is the reason to require nonces for HTTPS APIs?
Is it just to ensure that legitimate consumers don't issue requests more than once?
HTTPS traffic cannot be replayed but its contents might be. It is possible that a browser will send a request multiple times because the user has hit back or because the connection timed out on the last attempt or similar. In that case you need another nonce to detect the duplicate API requests. So you can avoid e.g. sending two pairs of shoes.
Note the difference. The HTTPS packets are not replayed. The browser might use a new HTTPS connection or still use the same connection but it is simply sending new packets.
Speaking as a web developer, I can't help but to think it's simply easier for the development team to implement application-layer handles than interface with lower-level implementation details. As parameters, it's right next to all the other inputs the server needs, and it's not complicated by caching, load balancers, IP roaming handoffs, browser error handling, etc. Since the developers control the code on the front and back ends, explicit nonces allow them to ignore the middle, and not have to coordinate with other teams like infra during development.
The nonce used in symmetric encryption, which in the case of TLS, is neither a counter nor a pseudo random value used for generating cipher text but instead is a component of the shared key encryption/decryption process.
While the necessity of an nonce for encryption / decryption varies from cipher mode to cipher mode, NIST publication SP 800-38C (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38c.pdf) in the case of AES CCM mode encryption defines the nonce as a parameter necessary for the validation of the decrypted data and its associated authentication tag.
