In case it works as inspiration or safety ideas i share with you this link: http://www.addictivetips.com/android/retune-allows-remote-control-of-itunes-playback-from-android/
I REALLY like the pairing pattern! I have an idea to make it very strong: lets supose
BEWARE... DENSE READING 
User U have a device D wanting to control musicbee M, so user starts musicbee M and goes to a "device pairing screen" presses ADD NEW and it shows a "WAITING FOR DEVICE" screen
user U picks up device D and pushes the "PAIR SERVER" option so device D asks musicbee for pair initate and sends it's "device id and name"
M receives the pairing asking and returns a random generated challenge to D and shows a pin code to U.
D receives the challenge and asks U for pin
D sends hash(challenge+pin) to M
M compares to it's own hash(challenge+pin) and if it's ok sends a a random prekey to D
D receives random prekey and stores hash(random prekey+pin) as his FINAL PAIRING KEY with that server
M stores hash(random prekey + pin) as FINAL PAIRING KEY with that device id/name
END OF SPECSo as pin nor final pairing key is ever sent , so it's eavesdroping safe and we can use it even on unsafe networks. User experience wise he has only to input a pin on his device or web browser the first time he wishes to pair musicbee to the controler wich seems me no too much burden
When a device wants to use api he must first call "logon" and this sends a challenge that must be responded hashing final paring key + challenge if that's ok server sends a cookie that is it's session id
