I would like some feedback on the issue of how to allow API users to prove who they are without using a cookie (some clients simply do not support them), but instead pass all relevant information in the URL/POST.
Doesn't PHP do that itself if the browser doesn't support cookies? (If you have the appropriate setting turned on in php.ini, anyway.)