This is insightful, and something to keep in mind from a design perspective. Just because something can be done doesn’t mean it’s a good choice longer term for maintainability.
The OAuth approach keeps getting mentioned, I’m looking for any clear documentation or tutorials for how that could be implemented to create API access tokens that users could manage themselves.
But I have more to learn - I always think of OAuth in terms of third-party user authentication to allow basic application access, and obviously it can be used for more.