| Usually with an APIkey, you have a corresponding "Secret" Key. This is called a shared secret. Using the shared secret, you can come up with a unique signature, that only yourself and the host can generate. You also want to use some sort of TTL for the signature, to prevent replay attacks. Passwords should never be stored in plaintext. They should be hashed using a cryptographically secure hashing function (bcrypt is easy enough). Password hashes shouldn't ever be exposed to anyone. If you need to provide login functionality, provide a method that takes a username and password. Make sure that username and password method has a backoff time to prevent someone from partying on that api (calling it with username and password combinations) As the password has to be sent in clear text, make sure your login api is over SSL. |