Allow lists to not be accessible via the API
An idea: List-admins that don't trust username+password-based authentication might want to disallow access to their list via the API completely.
Variant: Allow access read-only.
But do people really want that?