The admin API will be implemented as a separate topology.  This will allows for a separate authentication and authentication and authorization from normal topologies/clusters.  The admin topology will be called admin.  This may conflict with existing customer topologies but that could be addressed by the customer renaming the admin topology.

 

<topology>
  <gateway>
    ....
  </gateway>
  <service>
    <role>ADMIN</role>
  </service>
</topology>