[22:27:46] <zzo38>	 I think that you should add possibility of X.509 client certificates for authentication, which can avoid needing tracking cookies and other stuff like that for authentication, as well as improving security.
[22:28:36] <zzo38>	 I also think that you should allow (but not require) unencrypted connections for read-only access to public data that does not require authentication (encrypted connections should also be allowed)
[22:31:11] <zzo38>	 Using client certificates would also allow you to avoid problems involving API keys, 2FA, cookies, etc.
[22:37:05] <Reedy>	 You're probably best filing a phab task about that