Request signing almost always goes hand-in-hand with API keys as user passwords tend not to have enough entropy to serve as good request signing keys. The chief advantage of request signing is that it never sends sensitive authentication data over the wire. Consequently, you can run a request signing API over plaintext. When done right, you don’t even have to worry about man-in-the-middle attacks. Finally, when combined with a nonce, you can also prevent replay attacks.
