More and more APIs and web pages require a token, and more and more of those don't support a token via the calling URI, but rather via the HTTP Authorization header.
I see that the Discogs web source uses what I guess is a sort of proxy on mp3tag.de server to inject it.
My suggestion is to add something like [Authorization]= keyword to the web source framework which could create the "Authorization: " header. This will at least solve the situation where a static token is an option.