It's natural to concentrate on the New New Thing, but in the case of authentication web APIs, based on HTTP, there are options. There is certainly HMAC authentication for APIs, as shown in this Vordel Gateway case study. But remember that HTTP authentication still exists, and can be used for authentication to an API. If you want to test this, you can pick up the free Vordel SOAPbox tool which, although it has "SOAP" in its name, can be used to test REST APIs also. Here is how you do this:
Firstly click up on the title bar for your API call:
You'll now see the "Request Settings" dialog. Notice that it's a GET request (not a POST in the case of SOAP). I then choose the lower "Security" tab and the upper "HTTP Authentication" tab, and configure my parameters there. Notice also that mutual SSL and Kerberos are options too.