Hello,
I think there are more options, however I’d use personal access token for this. I’m afraid it’s still not documented (other asked before at API access via Personal Access Tokens - #2 by Marek_Hulan). You can create the PAT when you edit you profile and use that token instead of a password. The token would be still in plain text of course. Token can be set to expire and can be invalidated though a rake task if needed. The other option may be kerberos (cc @ofedoren)