PHP: Authenticating my REST application

I've been looking into ways of making my REST application a tad more secure. HTTP Basic authentication seems like a way, but with the need of shipping username+password between the client and the server on every request. Could work fine if I used curl, but with a Javascript file? Not so cool.

I've found and read about the Digest HTTP authentication lately which seems to be a big step up from the security HTTP Basic offers, a开发者_高级运维lthough a lot more complicated to understand, which I still haven't to be completely honest.

I've looked at this question and it's answers to learn about the pro's and con's of using the Digest method, but it appears that the more I think about it, the messier it all gets.

There seems to be plenty of already available solutions out there to solve this issue, however most of them are now close to 10 years of age.

Is the Digest method a dinosour that should be best left alone in the dark for another, newer ways of securing requests, or are there any good already-existing Digest libraries available?

Have you thought of using HTTPS? All you really need is a signed security certificate for the domain and to check in your code to make sure it connects that way. It will use SSL that way and the server and browser will automatically take care of encrypting the data sent back and forth and will use a three-way handshake for all communication.

You could look into different authentication techniques used by popular APIs like Facebook and Twitter which use the OAuth method for authentication.

Other APIs like Google Maps (v2) and Bitly let you access their API with an API key in the URL. So each user has an API key to use in the request like http://api.domain.com/get?key=supersecureapikey

Both methods are excellent and are widely used throughout the web, only accessing APIs directly from javascript will expose API keys/passwords. One option (the option I use) to get around this is to have the javascript call a file on your server which performs the API call on the server side, thus keeping keys/passwords [more] secure.