A way to add access control to a webservice called by javascript?

I have a PHP webservice that I need to add exclusive access to. This I could do with md5sums or similar, but my problem is that I also have a website that calls the webservice from javascript. So any keys, md5sums, and what I can think of can be read in the javascript and does not provide much security. For example an url like http://my-webservice.com?supersecretkey=omg is easy to read in the javascript and replicate.

What would be the best approach? Sessions? Oauth? I have researched a bit, but I keep running into开发者_运维问答 the problem that most examples are not so that they can be called from javascript.

For something like this, I would go with HMAC:

http://en.wikipedia.org/wiki/HMAC

Securing a javascript client with hmac

I think you should rethink your architecture here. Calling secure web services with javascript is not the way to go. Maybe create server resources that can authenticate the javascript call and perform the necessary data query and return it to the javascript function in Json.

Also bear in mind that not everyone has javascript enabled in their browser, so it might be good to change to a server based call altogether.