This is my first time building an authenticated API and I'm running into a few roadblocks.
How do I securely pass an API key from the remote client's page to my server (for the user to authenticate connecting his account to the client's page/app)?
-dylan
In my experience, API Keys are actually used as salt to hashes, and the key itself is not actually passed.
When a client generates a request to the server, it hashes a bunch of stuff together (request time, user_id) + the hash, and the hash is included in the request. On the server side, the same hash is recalculated based by retrieving the key for the server, and following the same steps. If the hash doesn't match, it means that client making requests to the server doesn't know 1) the steps to create the hash, and more importantly 2) the API key used as the salt to create the hash. In this way you can determine your client does in fact have the key, and that they know how to authenticate, all without sending the actual API Key.