First off I want to say how much I appreciate your efforts to track down and fix the recent, apparently authentication related, issues.
Several sites that I regularly work with handle the task of controlling access to an API from a common sign-in system with a process like this:
1. The user signs into the common sign-in (earthdata in this case) and gets a specific set "API credentials". This seems to usually be a one time procedure, though I imagine you could configure it to require periodic credential rotation if that is preferred.
2. Through "back end server magic" the API credentials are communicated to the system hosting the API.
3. When the system hosting the API receives a request, it validates the API credentials locally, then responds as appropriate.
This process both allows the API calls to be as efficient as possible and decouples the common sign-in system from routine API calls.
OBPG may want to consider using a similar system. I believe LANCE and PODAAC use a system along these lines that communicates with earthdata, so you may be able to leverage some of their work in implementing it.
Sincerely, Andrew LaRoy