If I use https://username:firstname.lastname@example.org/, doesn't that URL show up in server logs all over the internet?
I didn't think this was something I had to point out about API authentication, but apparently it is.
Obviously, you're still using a password if you use HTTP Basic Auth.
This is one of many benefits of using multiple (revokable) API Keys.
% curl --trace-ascii /dev/stdout http://jimktrains:email@example.com
== Info: About to connect() to news.ycombinator.com port 80 (#0)
== Info: Trying 220.127.116.11... == Info: connected
== Info: Server auth using Basic with user 'jimktrains'
=> Send header, 223 bytes (0xdf)
0000: GET / HTTP/1.1
0010: Authorization: Basic amlta3RyYWluczpwYXNzd29yZA==
The username and password are sent in the "Authorization" HTTP header, which will be encrypted.