Ok so after some more digging to secure our API we need to use something like OAuth2 and in fact to use it with alexa you can only use OAuth2. There are a number of ways of doing this as I'm quite fluent in php id probably prefer to go down that route. I haven't used cakePHP before but I've heard of it and ill gladly take a look especially if it simplifies the DB connections, I'm still getting my head round the changes in the depreciated mysql php functions which I've become accustomed to for years
There is a nice example and demo of implementing an OAuth2 server over on this site: https://bshaffer.github.io/oauth2-server-php-docs/
I don't think it would be to much work to implement this on to the core.
In terms of security I believe keys are stored encrypted anyway so a person with access to the Linuxmce DB wouldnt get simple access to peoples accounts but if it really is an issue I guess a new schema just for this could be created with a password or something? But this is about giving an application like Alexa access to LinuxMCE not google giving LinuxMCE access to google if that makes sense.
Another option would be to implement a framework like this: https://apigility.org
designed to help create api's and offers a few different security options for securing them, this would give better flexibility and future proof with regular updates but there are obviously disadvantages as well relying on yet another 3rd party piece of software.
Im confident i can implement any one of these on to the core to secure our apis the next stage would then i guess be what do we want our api to look like what commands would we send and what would our structured responses look like to give the best usability and flexibility with multiple services?
Ill continue digging and see if i can implement something on my core here just as a test and come back to you all. Cheers for the help and advice as well, I will be back I'm sure