Good morning, @Richard_Sanderson!
I think there are two questions there, “Why use not support simpler mechanisms?” and “Why does Infusionsoft only support OAuth2 going forward?”
In the first case, we did previously support an API Key form of authentication. We found that it had many failings, including inability to segment throttles based on multiple accessing applications (since they were all using the same key) and problems with deauthorization (since every authorized application was using the same key, the only way to remove one was to change the key and update all of them). Additionally, should the API key ever be compromised, either through man-in-the-middle attacks or application owner data breeches, there was not a way to identify bad actors by traffic patterns of a single token owner, and they would maintain access in perpetuity without any indication to the authorizer.
That leads to the second point: Infusionsoft has chosen to only support OAuth2 as our authentication method going forward because it does mitigate the above issues, and so that we have the ability to provide additional protection to the finances and livelihoods of small business owners around the world. It is indeed a more complicated flow than a simple API key, but the exchange is more than worth the additional effort involved, and there are any number of client libraries for various languages that simplify the process.