Pownce does have an API, it's just not public or official. You can see how it works by snooping on comms from the desktop app to pownce.com. In the grand tradition of reverse engineering on this blog (see: xmlStorageSystem, Salon Blogs hacking), here are the endpoints I can access. Mr Twitterific appears to have figured it out, too. I don't have the time to delve in further, but hopefully this can be a good starting point for someone else to build a proper client, or perhaps an encouragement for Pownce to make the whole thing public.
→ returns a 200 OK response with no content.
Authorization: Basic base64(login ':' password)
→ returns a Set-Cookie header with a session ID, and a chunk of XML with a <login/> element. The important part here is the 'token' attribute, which will be used as the WSSE password from now on. (You wouldn't believe how much of a pain this was to figure out - a complete needle in the haystack.)
auth=url-encoded WSSE UsernameToken, with your username in the Username field and the content of the login/@token attribute from the /api/login/ call used as a password
→ returns an Atom feed of recent posts visible by username.
auth=WSSE UsernameToken, as above
→ posts a new message. Here's an example public message.