Just some quick thoughts brainstorming on this:
- users can generate an 'app id' for authenticating, and can be 'named' so user knows what they were generated for
- app ids for the user are listed (with last login date/time) , and can be revoked by user
- API is push-only, and supports file formats supported by the site upload feature (e.g. TCX)