I’m looking for ideas on how to restrict access to and log calls for an API we’re delivering for business partners to interface with our Customer Care application. Should we create usernames and passwords for our external partners just as we would our own employees? Is there some kind of snap-in layer for .Net that can manage access restrictions and metering or do we have to roll our own?

What formats should we support? Is JSON canonical or is there some new thing out there I need to know about?

I’m new to providing software-as-a-service and would love some advice, including an open source .Net project that I can examine for hints.

EDIT: now with bounty freshness!

EDIT: adding content to answer some questions

This will be an API for our partners to use to access our customer service functions, such as creating new accounts, making payments and other account management functionality.

I am familiar with PostSharp and have already produced a technology demo with logging features for method calls.

I am not interested in surveying our partners for which formats/protocols they’d prefer, since one of the requirements is the ability to add new partners without IT involvement. I’d just like some tips on best practices, so that we’re doing it the “right” way and they can conform.