Adding new actions to YOURLS API : a thing to ponder

1. Adding new actions to YOURLS API : a thing to ponder
2.  
3. Currently the set of action available in the API is voluntarily limited to a few "non destructive" actions (no editing or deleting) because there's a passwordless way of doing things (signature token or signature token + time hash, see wiki page http://code.google.com/p/yourls/wiki/PasswordlessAPI)
4.  
5. I think passwordless destructive actions might be a little too dangerous to allow : no big deal if someone steals your signature token to add spam links, but pain in the ass if it's used to modify or delete all your links
6.  
7. Options :
8.  
9. - require login + pwd for destructive actions ? might be a bit limiting
10.  
11. - adding a new "super power" signature token that would be more secret, once/if there is a proper user & privileges management in YOURLS
12.  
13. - maybe another option to consider is having a YOURLS plugin that will register custom API actions