There are a number of fairly established patterns for doing this.

• The simplest way to do so would be to provide the username:password as an Authorization header or part of the request (querystring/form data). This would require you to authenticate/authorize the user on each call. Not ideal for you, perhaps, but if you’re using WebHttp (if you didn’t mean this, I’d take a serious look at WCF Web Api), it would be fairly easy to build an HttpModule or something in the WCF channel stack to intercept the calls and authenticate the user.
• A very common way is to expose an endpoint that takes user:password and generates an API token. The user then takes that API token and uses it to authenticate subsequent calls. That token can be anything from weakly-encrypted data to a hash consisting of a shared secret key, the HTTP verb, requested resource, etc. You’ll find several example of this if you google “HMAC Authentication”. Azure’s authentication schemes are an example of a really granular token. The nice thing about this approach is that you have one endpoint concerned with authentication and building the tokens, and your other endpoints just need to know how to validate the hash or decrypt the token; a nice separation of concerns.
• OAuth/OAuth2 are pretty much the de facto standard if you expect your API’s consumer to be a third-party application.