How Can I Automatically Authenticate A Different Site?

I have a Wordpress site, and I am using the API of a 3rd party searchprovider which uses Basic HTTP Authentication. When the user searches on my site, a JS submits the search reque

Solution 1:

With HTTP Basic auth, the one doing the request has to submit a username and password to authenticate. Which means the one doing the request needs to know the username and password. There's no way to let the client make a request to an HTTP Basic secured site without also exposing the user credentials to him. Even if you can hide it from the URL and thereby from plain sight of the enduser, it's still visible for anybody who cares to look in the right places (network request inspection tab etc).

What you want is a form of third-party auth where your server authenticates with the API provider and receives a time-limited token. You then send the user to a URL with that token, which the API provider will accept and allows the user to authenticate once without giving out the constant secret. Essentially you're using one-time passwords this way. The API provider will have to support and implement this mechanism explicitly.