Like the MySQL and SFTP IP whitelisting options, the API should have a whitelisting function. Or at least the ability to see connected domains and block specific connections.

For example, if I have 1,000 client sites that use the API and just one leaks the API auth details somehow, I would need to manually change 1,000 sites immediately. But by being able to whitelist the servers the clients are on, I would have more time to change the keys, without worrying.

I want to whitelist only my servers so only my clients' websites can use the API.