I'm in the process of finishing up an API I have created for clients to interface with. Currently this API is fairly basic and is eventually expected to add more functionality in future versions. As of right now though my API only has one get and one post option. For the sake of an example that everyone can follow I will use books.

Currently you can do a GET request to api.domain.com/v1/book/ and it will return a xml response of a list of current books in the system. The POST request sent to api.domain.com/v1/book/ will add a new book to the catalog. To expand on the POST request the data being posted is an array containing an index of xml with a value of an XML request.

Now I don't really care if someone can do a GET request and obtain information but I do want to lock down the POST requests to only accept input from authorized sources. This is where I'm stuck. I'm trying to find a way to authenticate the client connecting. I have looked at HTTP Auth Basic and I wasn't to thrilled with the idea of using plain text usernames and passwords even though all data is transmitted over an SSL connection. I also looked at OAuth and while it does sound like it could work it looks like for a basic client/server relationship it might be a bit to much. Maybe I've just not seen the right example of OAuth for client/server. My next thought was to have the client send over an API key assigned to them and in this key would be the encrypted value of their domain name along with their client id. On the server I would decrypt the api key and first verify the source in the key matches the one sending the key. If that checks out then I would verify that the supplied client id is in our authorized list of users. Should that pass then their request would be accepted.

Pseudo Code
PHP Code:
if(isset($_POST['apikey'])){
    
$arraykey decryptKey($_POST['apikey']);
    if(
$arraykey['domain'] == $_SERVER['REMOTE_HOST']){
        if(
validClient($arraykey['clientid'])){
            
// Process request
        
} else {
            
sendResponse(401 not authorized)
        }
    } else {
        
sendResponse(401 not authorized)
    }
} else {
    
sendResponse(401 not authorized)

Does anyone see a potential problem with this kind of authentication?