API Key/Credentials recommendation

Question

Working on an API service layer for our entire web application. One suggestion was just to pass an API key with each requests (similar to Google) the other was to do Message Based Authentication

http://en.wikipedia.org/wiki/Hash-based_message_authentication_code

What would everyone's recommendation be for moving forward with choosing which method to move towards?

Answer 1

I think the question should be

Do I need to validate the message's integrity?

If all you care about is limiting access to said resource, anything other than an API-key will be over-kill; API-keys are light-weight, simple to implement and use authentication standards (BASIC, etc.). Once the message is received you can perform simple sanity checks on the data.

If you need to validate the authenticity of both user and message, then Message Based Authentication is the way to go