An API would be a good approach. However, if you implement such an API, you should keep these things in mind:
- Use strong Auth-Keys for the API. You could filter the requests by the server IP, however this would work, but I won't recommend it since you can send manipulated packets (IP-Spoofing).
- You can hash the password on your game-server, but if the connection from the client to the server wasn't encrypted, the password was already sent across the internet and an attacker would start at the client's unencrypted connection if he wants his or her password. So make sure to use SSL for every connection with critical user data.