If you are using SSL, why not use HTTP-Auth plus signed certificates? Only accept certs signed by a single parent cert?

Set them to expire every so-many-months, and filter by signer if you need to ban someone who is abusive.