Hi Jesse,
Why do you say a valid API token is not hard for a hacker to acquire? That sounds like a problem to me. You should protect your M2M credentials just like regular credentials.
For changing user info, the user should be authorized, perhaps even step-up auth (reentering password or MFA), and the API should verify the user is authorized.
John