I am searching in the wordpress XML RPC documentation also it appears the account information are needed within the plain on every request.

It is possible to token based option to this to prevent this?

An alternate is always to expose the xmlrpc service only over ssl.