What we need is a way to make API calls (that does more than read) and not have to hard code the credentials into the call itself.
Are you using the username and password for each command run? If so, then I would recommend starting each session by with login command and then referencing the sid that is created on a successful login. This would prevent each call requiring a username/password scenario.
Support for using an API key is available in the newly released R80.40
It might be possible to use certificate authentication for your API calls if you're using the mgmt_cli command. There is an option to use a client certificate (-c ), however I don't know how this would work when using a POST from curl, python, etc. Unfortunately, it would still require knowing the certificate password and supplying it as a part of the script.