I didn't back track.

When you register an App to an API you get keys, just like your wallet on Steem. The API can determine which keys have access to do upvotes.

Everything else would work, except for upvoting, which is the biggest issue on steem after comment spam. If there was a community method for determine which apps outside of Steemit had the privilege to use the upvote calls in the API, I would be open for that. As long as the community could remove that privilege if it was found to be abused.