I would avoid using HTTP digest for an API. For one thing, HTTP digest
relies on MD5 which is considered broken now.
Consider using the client creds OAuth grant type. This is very simple,
two legged (as you require), and standard based. Of course, during the
handshake, you still need to authenticate. I would normally use HTTP
Basic over SSL for that part.
Another approach would be to just use HMAC signature based on the
shared secret between the consumer and the API. This post might give
you some ideas:
http://bit.ly/KeAcfa.
-fl