Ok, so I am building yet another API.<p>This time I wanted to go through some types of authentication implementations to see which one would be simplest for our customers to implement, and which one would be more secure.<p>How do you let your API users authenticate?<p>* Creating "Apps" in your service?<p>* User based Private/Public key?<p>* Username/Password<p>* oAuth?<p>Other ideas?<p>--
EDIT: Updated linebreaks in list.
Some resources if anyone is interested to read:<p><a href="http://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization/" rel="nofollow">http://blog.apigee.com/detail/do_you_need_api_keys_api_ident...</a><p>In short:
<a href="http://stackoverflow.com/questions/6767813/api-keys-vs-http-authentication-vs-oauth-in-a-restful-api" rel="nofollow">http://stackoverflow.com/questions/6767813/api-keys-vs-http-...</a>
I create mobile apps against a REST backend on GAE and I use just basic authentication over https for authenticating the users. I sha1 the password and compare against a sha1 value in the database. Simplest there is but maybe not as secure as other alternatives, but I have not found any big problems with this. Please tell me if I am missing something vital. Have bought a book about OAuth but have not opened it yet. :)