I am building a web application that provides an API as it’s primary function. I have been looking into methods for authentication but have been struggling to make a decision on what to use.

Since this will be a paid service and the API is the service, I need to make it as easy to use as possible so as not to put people off but obviously I want it to be secure. I have considered using HTTP basic authentication over SSL but would like to avoid the costs/overheads/hassle of SSL if possible early on and maybe provide it as an option later.

I like the AWS style API authentication (see here) but the problem is I can’t have users sending the query string as plain text along with a signature because the parameters may contain things like phone numbers which I think customers would rather not expose. I have thought about providing a secret key to encrypt the string which is sent along with an api key to identify the user.

What do you think the best option is to also encrypt the query string along with the request while maintaining simplicity?