What to consider when creating your own custom web services API?

I have created a website that allows users to register and use an online service. To help promote the site, we will have resellers offering their branded services through us. The initial plan is to allow resellers to host registration, login, and orphaned password forms on their own website and use the API we created to handle these requests.

I started outlining how I expect the API to work (and start documenting it as well), and I want to make sure I get it right, or as close to myself as I can, how I can from the start, how I know, once you have declared a public API that you want to avoid changing this API at all costs.

So far I have solved:

• For the user to pass their credentials with every request
• To require SSL for all requests

What else should I remember?