I'll try to explain the problem.
There is some service, which has API built totally in JS (ajax/json) for sites-partners. Site-partner is person, who has some contract with service. So the access to the API does have only certain persons (sites-partners). What do i have to do is to create some authorization way for the service to find out is the request really coming from the site-partner.
The complexity is that API is fully written in JS. That is why neither HTTP authentication, neither secret API key, neither RSA keys exchange are not suitable for this type of API, because the service needs some authentication parameters to receive and the only way to do that is to pass them via AJAX using the JSON format. So, everyone, who knows how to look in the source code of the page, can simply copy those parameters and use them every way they want to.
The variant with IP restriction is not suitable too, at least because the site-partner can be hosted on the shared-hosting.
I thought to use some API key with some unclear hash (clear only for the service) + timestamp. But this method will become clear sooner or later.
Anyway, everything that comes to mind is not fully suitable. Maybe someone has faced that problem? Will appreciate any answers.
because the service needs some authentication parameters to receive and the only way to do that is to pass them via AJAX using the JSON format.
I think you're misunderstanding the difference between JSON and JavaScript. JSON is a data format, like XML or SOAP. You don't have to use JavaScript to read it. There is great support for JSON in PHP, Ruby, Java, Python, and others. Usually JSON is passed over HTTP.
So, everyone, who knows how to look in the source code of the page, can simply copy those parameters and use them every way they want to.
If your service provider is requiring you to use some sort of key, I really doubt they want you to do it inside a browser. You probably won't even be allowed to make the request because of Cross Origin constraints (most browsers won't let you make a request (especially POST) do a domain that is not the one you are requesting it from).
My guess is that you're going to need to do the processing with your provider on the server side. If your provider has documentation, I'd consult it. Otherwise see if you can get one of their developers to help you.