Tue Feb 02, 2016 7:43 pm
You know, I was recently thinking... and I might end up eventually implementing something like this myself (but no promises; Feel free to beat me to it...)
It's possible to setup a "proxy" server for the API protocol itself ("API proxy"), which would in turn filter out any forbidden requests, thus giving you fine grained control over what an API client can or can't do with the router.
It's a similar idea to the aforementioned REST API, in that it requires you to have a separate OS that the router trusts. The router would only allow connections from said server (and perhaps other fully trusted parties), while untrusted/semi-trusted parties would connect to the server instead of to the router.
The difference is that you don't need two separate sorts of clients and handlings - just one (the RouterOS API).
The API proxy may sit on the same physical device, as long as there's enough RAM to hold in a small KVM/MetaRouter VM instance with a bare OS and sufficient tooling to run the API proxy program. In that setup, the real router's API protocol can be dst-nat-ed to the VM for a seemingly transparent experience.