I have some web sites programmed, I know to do it with python and PHP basically. Normally they are simple web sites, but now I want to provide REST web services but only for allowed users (allowed by me).

I saw that a lot of services uses the "KEY" and "SECRET_KEY" concepts, which seems to be what I need (if I understand it right).

My suppositions are:

1. If I only do a GET service to retrieve, e.g., all my clients, without anymore, anyone can retrieve my clients without limitations.
2. I will need some KEY generator to provide keys for my allowed users, so they can use my webservices.
3. Only with a KEY is not enough: someone can steal a KEY and supplant my user (and this is the reason because exists a SECRET_KEY, right?).

If all this is right, how can I make/use a system like that in my web services? Some open source example?

Or maybe there are another easy solutions I'm not considering?

My objective is to allow some users to use my web services.