So there are a few things here beyond the main question you're asking...
with a lack of option to grant only certain permissions to a user
You can (and generally should) limit the scopes granted to key to the specific ones you want. If you're just wanting to check a username/password combination, the
auth scope should be all that you need.
and no way of restricting access to a whitelist of IP addresses
True, though if this is significant to you, this can be implemented via your web server (or a reverse proxy if you're using that). All API requests have a
/api/ prefix so they can be detected.
What protection does the API authentication have against someone attempting to brute force the super user API key if I were to create one?
So there isn't an explicit brute force filtering, though the brute forcing is likely to be significantly more difficult than you might be thinking. API keys are randomly generated 32 character strings. This is significantly more "entropy" than any traditionally-generated password and results in something around 10^57 potential combinations. This is well above the point of a practical brute force attempt, even disregarding the additional difficulty of attempting to brute force a value on a remote server.
They are also looked up in a way to be resistant to timing attacks (so you can't work out 1 character at a time).
It's worth mentioning that even beyond API keys, the entire concept of user "remember me" keys use essentially the same concept. These have existed in XF singe the beginning (though the approach was changed for 2.0 for different reasons).
