I took a minute and looked at it; it's even easier than I might have thought. When doing a login (via a simple post of the username & password) you can tell it to remember you. Which means the cookie it hands back will have a 365 day age rather than only for the session.
I just copied & pasted that into my REST tester and sure enough it works fine. If you're posting to https://api.imageshack.us/v1/images to do the upload all you have to do is add an auth_token parameter and put that cookie in it. Personally I'd be happy with just exposing a spot for me to do that, but I'm comfortable with doing that REST post.
Looks like you're using the XML endpoint as described here not the JSON described in the main API link. https://code.google.com/p/imageshackapi … geshackAPI But under "uploading into accounts" it indicates how to do it. Looks like the simplest thing would be to direct the user to login at the URL they specify and retrieve the cookie, then let them put it in a config box.
That code says you can just use the user's cookie as an additional parameter and sure enough, that's what I patched into the script and it works fine - I just added -F 'cookie=MYCOOKIEHERE' to the curl line and files are showing up in my account now.
For safety's sake it really should test the key as described in the above link and then not use it if it doesn't pass, but it's going to get the job done for me for the moment.