What is a good way to transfer an authorization key to a server? I'm building an REST-API right now and I'm stuck how the user can authorize on that api. He will get an authorization key (thats not the problem), but what would be a good way to pass this key to the server? As a GET parameter, as an HTTP Header field, as a cookie?
Which way is easy to handle with most of programming languages (e.g. I want to use the API with php or ajax..)
i suggest to send via HTTP POST, and if possible then encrypt it before sending it and decrypt it on server on need basis
You could use the HTTP Basic authentication scheme, which uses the Authorization HTTP header. With Basic authentication, the client must provide its credentials on each request. so you might prefer the Digest authentication scheme, which is a little more secure.
Without more details, I might recommend OAuth 2.0 with the Client Credentials grant type. Basically, the client uses Basic authentication with its client credentials once to receive an access token, and then it uses the access token on subsequent resource requests. Typically the access token is submitted using the Authorization HTTP header.
OAuth is really an authorization framework, but it provides a good solution for API authentication also, and you might find its authorization tools useful for securing access to API resources. It could be that the Authorization Code grant type is applicable to your use case as well.
Related: Best Practices for securing a REST API / web service
