An example of securing an API in PHP. I have included both the client side and the server side of things.
It based off of this article here which is well worth a read so you can get a good understanding of the flow.
Right now this is configured to be running in http://localhost/ so if you are running it anywhere else you will need to change the URL in both the client.php file and the server.php file (otherwise the internet might fall over).
Once you have your local environment or whatever pointed at the folder, head to insert your URL here/client.php to see it in action.
If you see "Hey! You are authenticated to be here" then it means all has gone well!
There are three errors it may give you, if the timestamp provided by client.php is older than 5 minutes of the time generated by server.php, you will get a timestamp error. If the public API key is not valid then you will get an API key error. Most important of all, if you get "Uh oh, looks like someones been tampering with the wires!" then it means it was not able to match the two generated hashes. If you are seeing this on first setup you may want to check the URLs in the code - to help prevent Man In The Middle (MITM) attacks we include the request URL in the hashing process.
Once you have it launched, take a look through client.php and server.php to see how it all works. I have tried to comment as much of the process as possible in an attempt to make it easier to read.
There are a number of things that could be done more efficiently but I have expanded it as much as possible to make it easy to read. For example a lot of the 'If' statements could be combined and a lot of the variable names could be considerably shorted than they are.