[TMKCodes]

I am developing restful account authentication system which supports multiple applications. I know how to do the account authentication, but i'm not certain how to securely authenticate the applications to access the restful API. I've been trying to Google, but I keep getting answers only on how to get application programming interface keys for existing API's but not what I want to know. So any help here?

I though I would need Secret and Public key. Before doing any other tasks it would have to retrieve public key with the secret key from the API and use this public key to authenticate the application when doing some other task, but if I retrieve this public key only once before doing other tasks then anyone can use this public key to fake themselves as valid application. Though if I generate new public key for the application every time before some task is done then the api key will keep changing and add some safety as it will get nulled after the task is complete and this would always require the use of secret key, but I am not certain how I should do this. So any tips?

[Core]

Ever considered OAuth? It offers a token based authentication model and I think that you are going the same way with your idea.

[TMKCodes]

Core I'm doing this just for my own experience and to use for my own sites, though I'm publishing it as GLPv3. For some reason I don't like Oauth.