Building A RESTFul API, How To Do Authentication

I am building a RESTFul API and wondering what's the best way to do auth? Users will need to authen开发者_JAVA技巧ticate. I know of three ways:

1.) Pass API key in every RESTFul requests:

http://api.mydomain.com/api-key-here/get-users

This is nice because developers can immediately start using the API by simply copying URL string into the browser. Are there any potential security risks though?

2.) Every request passes the API key in the header of the request.

This seems to be more secure, but developers can't make requests via their browser. CURL is required.

3.) oAuth

I must admit I don't know much about it, but seems very popular. My concern is that its a barrier for developers to start using the API. They first must be familiar with oAuth, and have it setup.

Thoughts? Thanks greatly.

If your concern is burdening developers with a high cost to entry, I suggest basic auth, but running your API over https.

I do this with Diligent Street and it works really well. I use an API Key and couple it with a Secret as the username/password combination for basic auth.

I have employed the technique found here: Build a RESTful API. This solution uses an MD5 hash of your API ID, API secret and the UNIX Time stamp and passed in the HTTP header. This authentication method is the same used by Mashery’s Authentication.

This link references and contains a full blown starter kit for creating an API that has Auth, Membership and*API Usage Metering* along with a supporting EF database.

As for testing the service you can use RESTClient to execute HTTP calls with custom headers instead of using Curl.