Separate HTTP and API passwords

I’ve got external access configured and working just fine over HTTPS, and am working on setting up some automations with IFTTT. This actually works really well, but I don’t like the fact that it requires the HTTP password in the maker configuration.

Is there a way to specify a different password for the API? Is there a way to limit what devices and functions this password has access to?

Not at the moment.

No, scoping is not available for API access.