So, the only really safe way to query API from a different domain would be to allow JSONP: either by origin domain or by api_username/key, right?
If that’s correct, I’ve seen some discussion about JSONP in this topic - have it been considered for implementation eventually?