Protecting API credentials - suggested method?


I have an api on one Rails 3 application that is accessed by using a
token and a key. The clients provide the token and key in the url with a
GET request.

They are generated this way:

key = SecureRandom.uuid
token = ActiveSupport::SecureRandom.base64(44).tr(’+/=’, ‘xyz’)

(currently the token is stored as such in the db but I’ll probably
encrypt it to avoid that)

But still, I’d like to encrypt the key and token with a shared secret
since they are sent as
part of an iframe source. And obviously it is not good idea to have them
in open form.

The idea is that a secret key would be shared between the server and
client and used for the encryption. Then decrypted at server side to

The client is writen in PHP. So my question would be what is a suitable
encryption method for this? Or shall I use something already provided by
Rails itself?

SSL would be available but not just know…after all I just need to
protect key and token.