Make the API-key exchange secure by using HMAC
Scheme:
RP...............................................................OP........................................
$h=md5(API).............................................$h=md5(API) (Database)
...........................................Initialize........................................................
...................................----------------->.....................................................
.......................................................................session_start(); $salt=rand(); $_SESSION['salt']=$salt;
...........................................$salt,sessid.................................................
....................................<----------------......................................................
$auth=hmac($h,$salt);........................................................................
...........................................$auth,sessid..............................................
.....................................---------------->.....................................................
......................................................................$auth==hmac($h,$salt)?$_SESSION['auth']=true : $_SESSION['auth']=false;
.....................................OK,sessid.........................................................
...................................<----------------......................................................
Client api-calls.............................................Server responses.......
Finished....................kill,sessid,$salt...............................................
...................................----------------->.....................................................
..............................................................Check salt, session_destroy();