Apparently our API discussion at PHP Appalachia struck quite a chord with Michael.
As we're in the process of building up the IntelliContact API, we've run into this same problem. We've taken a bit of a simple solution. We allow a given user to associate an API key with their account and specify a separate password. This allows the application using the API to access only users accounts to which they've been granted, and leaves the power with the user to revoke the access at will by changing the password or disabling the API key access entirely. This seems to be a simple-end solution to what Michael proposes which allows for a more general ACL.
[tags]API, REST, authentication[/tags]