This is more of a security feature request. It might be better to be able to setup multiple API keys, separate from the one used for logging in. This way, if you have clients calling the API and they get compromised, you simply can remove that API key from the allowed list and create a new one. Example: I have an RPi that makes some periodical API calls (for Amazon Dash buttons) and I could assign an API key for that RPi. It’s in my IoT VLAN, but if it got compromised somehow, I could prevent someone from affecting my entire HA instance.
This could also be expanded to permissions for each API key (i.e. API calls only, logging in only, etc.), but that might be out of the scope of this feature request