Why don't APIs support IP address authentication?
For APIs focused on server based apps, this should work as well as anything else.
It's not possible to duplicate an IP --- the communication gets broken. If the server gets compromised --- well, any pre-shared keys are likewise compromised so the result is the same.
There are a few services that support this but not very many.
