l.m.orchard asks why not just use HTTP basic authentication for XML-RPC? After all, "I already have a web server capable of authentication, why shoehorn that into my API?" Um, good question. (I know why I didn't build it that way, but it might be something to think about.)