The v3 auth is inherently insecure as passing secrets in a URL (e.g. session id, API key, etc) is a security vulnerability as they are saved in browser history, server logs, people can post a link containing credentials unaware that they have exposed their auth details, can be exposed in the 'Referer' header, can be cached by analytics companies, etc.
The v4 auth uses a Bearer token in a header to avoid this vulnerability, however it appears to require a User token to authenticate, as such there is no secure way to authenticate an application without user credentials.
Would it be possible to add support for passing the API key and Session ID in a header for a more secure v3 auth? Would it also be possible to add support for generating v4 auth application and guest session tokens that do not require user credentials?