We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Each domain is associated with (for now) one user account. For now there are only "API users", so each account can just have an API key.
Plain HTTP authentication or a basic API key gives access.
If the request parameters are plain HTTP queries, it'd be easy to also have an API secret and sign the requests.
If there's an HTML/JS interface we'll need to add a CSRF token of sorts to all requests.