You can use CURL for this, to send a secure POST request, even if the receiver script is on another server. That will not expose anything in the URL, however Firebug may be able to see the request. To get around this, simply make sure that your auth key and the password that is being sent, are hashed.

Something like this (untested)

Here is the sender script

<?php

///// Sender.php ///////

//Set up some vars
$url = 'http://domain.com/Receiver.php';

$user = 'someusername';
$pw = 'somepassword';
$auth_key = 'YourSecretAuthKey';

$fields = array(
            'auth'=>urlencode($auth_key),
            'user'=>urlencode($user),
            'pw'=>urlencode($pw)
        );

// Init. string
$fields_string = '';
// URL-ify stuff
foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string,'&');

//open connection
$ch = curl_init();

//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_POST,count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS,$fields_string);

//execute post
$result = curl_exec($ch);

//close connection
curl_close($ch);


?>

And the receiver script:

<?php

////// Receiver.php //////

if(!isset($_POST['authkey']))die('Error: No Auth Key');
if(!isset($_POST['user']))die('Error: No Username!');
if(!isset($_POST['pw']))die('Error: No password!');

$auth_key = $_POST['auth'];
$correct_authkey = 'YourSecretKey';

if($auth_key!=$correct_authkey)die('WRONG AUTH KEY!!!!');

$user = $_POST['user'];
$pw = $_POST['pw'];

//// Here you can process your username and password

?>

A POST request is pretty secure, but if you are handling crucial information, you could always hash the auth key and password. Hope this helps.