Currently, logging using the API is very insecure when using proxies as their owners could be logging all requests. Therefore, I propose 2 changes:

Hashing the API Key

Using a changing password hash + username is way more secure than the api key + username.

In order to generate the password hash, you make a request to /user/secure.json?username=USERNAME. The response looks like this:

{
    "identifier": "SOME RANDOM CHARS",
    "to_hash": "SOME OTHER RANDOM CHARS"
}

The identifier is valid for the next 24 hours. Using "to_hash", you can create a sha512 like this

// apiKey ... the e621 api key
// to_hash ... the to_hash from above
// counter ... a counter that increases with every request so the hash changes with every request
sha512(apiKey + to_hash + counter)

When using the api, you now use the identifier and the hash to prove your identity. The server then computes the same hash using the api key, to_hash and the number of requests made using the identifier and compares it with your hash.

After 24 hours, the identifier is deleted on the server.

The proxy owner only knows your username. They can't do things on your behalf as a hash is only valid once and the hash can only be created if you know the api key.

API keys with specific scope

Allow users to create multiple api keys. The user can choose a name and which the endpoints the key can be used for.