I'm designing a web API, which will use credentials from another system to authenticate. The API will require HTTPS, however I still want to avoid sending a basically plaintext password over the wire using HTTP Basic Authentication.
I'm aware of the Secure Remote Password protocol, but TLS-SRP (as SRP authentication over TLS will effectively be) seems overkill for the level of sensitivity of data the API will provide (mostly sensitive business-level IT info; not something we want to shout to the world but not financial or personally-identifying).
I'm thinking that a scheme where the client SHA256-hashes their password, then transmits username and hash over HTTPS to the API server, which can then bcrypt it before comparing to a stored hash, should be more than enough to securely transmit and store user credentials. What vectors could this be vulnerable to (other than a keylogger on the client device)?