To increase security, it would be great to allow two factor authentication via TOTP (RFC 6238). A user with 2FA enable needs to provide a one time token as a second login step.

In the profile, a user should be able to enable 2FA. For every user a secret key should be generated and provided via QR code. The user can then scan the QR code via his mobile phone (e.g. Google Authenticator app). The app then generates one time tokens. At every login, the user is prompted for such a token.
This technique is known from Google, AWS or Github.

For API request, personal access tokens can be used.
Alternatively a 401 response with a header like "X-Foreman-OTP: required; app" could indicate, that 2FA is required for the user.

A client can send the token via a custom header: "Authorization: token TOKEN"
curl -v -u user:password -H "Authorization: token TOKEN" https://localhost:3000/api/subnets

https://tools.ietf.org/html/rfc6238