I describe it briefly on my "How It Works" page but since that's currently the main page I didn't want to get technical. I could add a more detailed "Under the Hood" page to more fully explain how it functions. I'd have to read up more on Elliptic Curve math to be able to explain it adequately as I pretty much trust vanitygen that it is safe as stated.

The math is out there. Basically vanitygen uses your login public key to generate vanity keys and due to EC math those keys will function when combined with the unknown private key once back in the browser. This login private key is "added" to the partial key generated by vanitygen to create the final vanity private key.

I did test the partial key created by vanitygen on bitaddress.org to see if it is a valid key and was told it isn't valid. Only when it is added to the original private key does bitaddress.org then recognize it as a valid key.

I haven't added an end user api yet but the client JS does already access an Ajax JSON interface. It would require at your end a fairly small function to do the final key addition. I'd have to create a few samples in php, python etc.