example of the data that's produced:
{"text": "{\"username\": \"Crazy Legs\", \"realm\": \"Froo\", \"uuid\": \"468c80e2-efeb-11dd-a3fa-001111584cef\", \"hostname\": \"selene.tfkyle.dyndns.org\", \"drift\": \"0:05:00\", \"sourcetypes\": [\"basic\", \"username_ident\", \"site\"], \"time\": \"2009-01-31T23:02:47.078006+00:00\", \"port\": 80}", "signature": [1128231809468112349232819271767278277148657933710, 915027228891795972762910553540640850645332455527]}

currently the uuid is stored on the server for current_time+drift_period+<a
few seconds>, and if another request is made with the same uuid in that time
it's rejected, the time is checked to be within the drift period and if it
isn't it's rejected too, then of course the hostname/realm and signature are
checked to see that they match what you expect.

for the request the above data is base64 encoded and sent in the
Authorization: header, though I'm not entirely sure if that'll stick if I
want to make it optional (think just returning an un-authed response when the
auth isn't correct would work).