The auth-token support (used in the community edition currently) can easily be made more secure. It requires a shared secret between the UI and the API. This shared secret could be generated once and stored in a simple persistent ISPN cache. It would make it impossible for auth tokens to be forged.