php - Authenticating users for write-access via an API
I'm building an API for my site and I'm faced with a problem. I want my users to be able to "log in" to their account using the API, but my site doesn't utilize a username/password system, it uses Twitter's API and a cookie/session for authentication. I'm trying to think of the best way to allow users to post data using the API without compromising security. Basically I need a way to make sure that the user is who they say they are from within the application.
One idea I was thinking of was to have the user create a password which they would use to "log in" through a method in the API. Sending the proper credentials (Twitter username and their selected password) to this method would return a token which would be associated with their account. To go even further, I could set the token (essentially an API key) as inactive initially and have the API also return a secret code which would also be associated with the user's account. The user would then have to log into their profile on the site and enter the secret code, which would activate their token and allow them to post using the API.
I want to make it simple for the user, but I don't want to potentially compromise other user's security. Can anyone suggest a better way of doing something like this, or let me know if the way I've suggested would be a good way of doing it?