I'm writing a simple RESTful service, using Phil Sturgeon Rest Server. I want to protect my methods by using the API key provided with this library.

Unfortunately, this is not very well documented and I'm a bit lost.

I want to authenticate users (email/password), then generate an auth key to send on every other requests. But it seems that I already need the auth key to generate one ... Create a dummy key does not seem very secure. Sorry if it is a dumb question, but what should be the best practice?

If you are familiar with other APIs you'll notice a common pattern. I recommend an authenticate method where the user passes their email and password, which will return a generated unique auth key. The auth key would be like a session id, think of how cookies work. Then all the other API methods should check $this->post('auth') and you need to compare this with your session handler (i.e. database or sessions), before you process each request.

Seems like a lot of code huh? Nope.

All your models should have an overloaded constructor:

class MyAPIController extends Rest_controller
{
    public function __construct()
    {
        parent::__construct();

        if(!authCheck($this->post('auth'))){
            returnFailedResponse();
            exit();
        }
}

Then write you API normally, like in the examples on Phil Sturgeon's website. http://net.tutsplus.com/tutorials/php/working-with-restful-services-in-codeigniter-2/

Make a model that has authCheck to test that the auth key is valid, and make a method for returnFailedResponse to return a 401 Unauthorized.

In another controller, lets call it 'Auth', use the above contructor.

Now every call to your api should set a header for the Auth. Ex. 'Auth: 12m34k23b'.