I've created a REST API to provide several services to the users. Each one has an username, password and a api key, which is secret - it can only be decrypted by me.
My problem is that one of the apps is for the user load a webpage and retrieve info from its calculations (whic calls a api script).
For now the system I'm using is this:
1) First, the user must write the current time to a file in his domain.
2) The user sends to the api the current url (that must match my database ip info) along with a value equal to the api key + time
3) In my side, I fetch the file that must reside in the url he sent - which must match the domain ip registered by him - and the difference in time can't be more than 5 seconds.
4) I generate a session token which includes his api key plus time (encrypted) again and send it to him.
5) The request page is loaded with the api key and session token as hidden fields that when runned must match again the info I have.
Can someone please advise on the refinement of this logic? Do I maintain the token for 5,10, or 30 minutes? Or do I change it in every request?