I am building an API that is going to be used by a partner's website. The website will be in the same domain (api.example.com and www.example.com). In the future we might have a mobile app that will consume this API.
I would not like to have someone using my api for their own website/app. So I would like to have a way to validate my website to my API. I've searched in SO and found out that I would have to set a Cookie in my website so I send it every ajax request. Fair enough, but how would I generate this cookie? If I call a method in my API, I would have to validate it's origin, so it wouldn't solve.
I could set an encryption key on both sides and encrypt some information with a salt and send to the api to check the information. I am not a security expert, but it seems it would solve my issue. Is this correct? When a user logs into my website, would it be safe to change this validation with the user's login token?
What your describing is called a CSRF (Cross Site Forgery Request).
To prevent someone from accessing your API's from outside your request, your website should store a token within the session, pass this token for every API request, then the API should validate the token.
There is a ton of good articles on the subject, including many specific examples.
Here is one of them preventing-cross-site-request-forgeries