There are many approaches to locking down an API. Here I start off with HTTP Basic authentication then move on to generating a unique token which can be passed through a URL parameter or HTTP header.

Read more at the source