You should include the api_key and api_username in the http header because using them in the query parameters is deprecated.
I think there must be some protection in the code that prevents accidentally deleting an avatar if the field is left off or is empty. You will most likely need to provide a url to a default avatar to replace the existing avatar.