Exposing a web service, Security concerns

I created a webservice based on https which I am sharing with my friends. I am worried about the security of the webservice, beca开发者_如何学Pythonuse username and password will work if there are making the request from the server side. However, if I want to provide a widget like twitter, I am worried about having the authentication code in the html.

What are the industry best practices?

Regards Bala

Review following

• Client certificates - allows server to identify clients - this is most safe, approved standard way.
• Some webservices uses approaches "Client certificates" but implements in native way. So you expose some method providing assymetric signature exchange. Where you exchange with client public parts of key. Calling all other method of service accepts session key, that is checked on client matching. (This session key also may be stored in cookies).
• One time password - rather fast, your generate some salt and provide it for client in public way. Client must every time calculate hash from secret ID and this salt and use it as parameter to each method.
• Google API/Yahoo API... uses unique string that identifies customer, of course it can be compromised, but for public services it is enough to identify problem to disable account.