Authenticaten API maybe too much?

Hi.

So i'm converting my website i have to API based, the frontend api is done but then i have to make a backend API with login. I have been thinking of authentication API to my login and now i'm trying to reverse engineer it a bit.

We hare currently 2-3 users maybe a bit more that need access. i still need to be secure and not just a MD5/SHA1 encrypted password in a database.

i'm thinking of looking at http://docs.phalconphp.com/en/latest/reference/security.html and use that instead of using OAuth2 or OpenID etc i think that would be too much.

I plan to do a route to /login and do a check on that, return a cookie or maybe just a session, not sure.

please come with inputs :)

Hi @zyxep
I would use a sha256-Hash with some salt. (http://en.wikipedia.org/wiki/Salt%5(cryptography))
For example, this can be the creation date of the user or something like that. For hashing this is secure enought
Then I would use secure sessions. http://stackoverflow.com/questions/328/php-session-security and perhaps this one http://de2.php.net/session%5regenerate%5id

But the strongest argument which security I choose is how strength my data has to be protected. So think about it,