I have a web site with users and their data accordingly.
What is the safest way to implement web services / API such that users’ login credentials and in turn data are secure? oAuth isn’t really an option, because usage will not necessarily be in other web apps.
My concern is that having the username and password as an input is dangerous to be transmitted plainly, and a token could also be stolen and reused maliciously.
Do I need to come up with my own method of encrypting and decrypting data, or is there a common practice(s) already in use?
The whole point is that it’s as open as possible for anyone in the world to use, but safe by definition nonetheless. Documentation will be available to everyone to use.
There’s always the WS-Security standard:
WS-Security (Wikipedia)
.NET has its implementations in .NET 1.1 and .NET 2.0 via the Microsoft Web Service Enhancements:
WSE 2.0 (.NET 1.1)
WSE 3.0 (.NET 2.0)
It provides various methods on encrypting the SOAP Envelope before it is sent over the wire, safely transmitting the data inside.