This is how almost all REST APIs are moving now. I understand your frustration, as this makes extra steps for API calls and really you are still just using a User/Pass still, but what this does allow is authentication from a different, trusted source. For instance, you could make an account on Goodreads without ever having a login/password on GoodReads. You can just login with your FaceBoook credentials.
So if you think about it, a normal browser interaction, you OAuth from FaceBook, get token, which has an expiration. This is saved to expire as a cookie usually, which is passed with web interactions to prove you are logged in.
So in the API you are mimicking this, but without the cookie. This makes the security for the API work the same way as the security for the website, and that uniformity makes managing the security easier, from the GoodReads perspective.
So if you think about it, a normal browser interaction, you OAuth from FaceBook, get token, which has an expiration. This is saved to expire as a cookie usually, which is passed with web interactions to prove you are logged in.
So in the API you are mimicking this, but without the cookie. This makes the security for the API work the same way as the security for the website, and that uniformity makes managing the security easier, from the GoodReads perspective.