Would you see these two issues separate to:
a) Possibly adding a “token” style authentication (this was discussed on the old google wave site I believe)
b) “Permissions” system for the API itself
I ask as B above would allow one to call api call X but not Y - I’m asking as I’m wondering if the solution for B + mc_issue_get_access should be one thing, or whether they are two different things – i.e. controlling whether someone can use the API to do X (e.g. call issue_update) and telling a client what roles the user accessing the API has under issue_update e.g. add but not remove tags when updating an issue.