I've been reading the API documentation and note that the validate_with_login method is a GET operation. You have already documented how this would send the username and password in the plain, so do not recommend its use. However, if you allowed the username and password fields to be passed in a POST, implementors could opt to use the HTTPS interface to reduce the exposure.

I know that the TLS/SSL session covers the connection to the server, before the query is sent, so the data is not necessarily sent in the plain, but outbound logging by the user agent is more likely to include the query than the postdata.

Is there any reason you elected to go with a GET, rather than a POST here?