I would like some feedback on the issue of how to
allow API users to
prove who they are without using a cookie (some clients simply do not
support them), but instead pass all relevant information in the
URL/POST.
Doesn't PHP do that itself if the browser doesn't support cookies? (If
you have the appropriate setting turned on in php.ini, anyway.)