How to use a key and secret for verification?

On most API's such as facebook and bebo, t开发者_如何转开发o use their API you must get a key and a secret. What are some good methods for building a system like this? I will be using PHP/MySQL.

How can I basically verify that a user key and a secret are OK when an app sends an API request? I was thinking of storing them in MySQL, which is where I will have them stored no matter what. But I was wondering if there is some other method that is better for the verification process, instead of hitting the database on every single API request?

If the key is an encrypted form of the domain and secret they're using, you wouldn't need to hit the db to verify them.

if ($key != encrypt($domain . $secret))
    // die

Cache the auth info in memcached and you'll save reads in the db.

you'll need somewhere to keep the key/secret combo. i think its impossible not to have a db hit unless you use some sort of caching like memcached.

in regards to they key/secret implementation, several places use a public/private key combo. you encrypt they data with the private key, then send it across where it's decrypted with the public key (or vice versa). I think the openssl package has this functionality.

http://php.net/manual/en/book.openssl.php

-d